May a business send my data to the US or China?

Data transfer to third countries under adequacy decision or Standard Contractual Clauses (SCCs). Adequacy countries (2026): UK, Switzerland, Japan, South Korea, Argentina, Israel, New Zealand, Uruguay, Canada (commercial), US (via Data Privacy Framework since July 2023). To these countries: free transfer. For US specifically: EU-US Data Privacy Framework (successor to Privacy Shield after Schrems II). But NOYB has already announced "Schrems III" — unstable. For non-adequate countries (China, India, Russia, Brazil, etc): SCCs required + Transfer Impact Assessment (TIA) + supplementary measures (encryption at rest + in transit, pseudonymisation, split keys). On surveillance laws (China FISA-equivalent, Russia surveillance) = often impossible to make SCC + TIA effective. Required transparency: business must state in privacy statement which countries receive your data + which safeguards. Your rights: GDPR Art. 15 access — ask "to which countries is my data sent?". No solid answer = AP complaint. Fines: Schrems II non-compliance = millions in fines (Meta €1.2 billion 2023). Next AP priority: Chinese cloud providers + low-cost SaaS from non-adequate countries.