As a result of expanding international trade and collaboration due to globalization, an increasing amount of personal data is being transferred to and from countries outside the EU and international organizations.

This has raised challenges and concerns for how that data is being protected during and after transfer.

To maintain the level of data protection ensured by GDPR for EU residents, this regulation includes strict conditions for transferring personal data outside of the EU or European Economic Area (EEA).

Data Transfer Requirements

In cases where personal data is transferred outside of the EU or EEA, GDPR requires the relevant organizations (i.e., data importer and data exporter organizations) to adopt appropriate data protection safeguards that include technical and organizational measures.

Data transfers are allowed if the European Commission (EC) reached an adequacy decision about the country where the receiver is based. That means, the EC reviewed the non-EU state’s laws and regulations and found that they provided an adequate level of personal data protection.

In the absence of an adequacy decision, data transfers are allowed to non-EU states in the following cases:

The transfer is covered by the appropriate safeguards listed in GDPR Article 46
You have informed the data subject of possible risks and have their explicit consent
The data transfer is necessary to fulfill contractual obligations with the data subject
The data transfer is in the public interest or will protect an individual’s vital interests
The data transfer is required to establish or defend a legal claim
The transfer is being made from a public register
It’s a one-off transfer that is in your legitimate interest

Example

If data that is protected by the GDPR is transferred to countries outside the EU and/or stored there, the rules protecting that data continue to apply. This is one reason why this legislation may impact businesses all over the world, despite its scope being limited to EU residents’ personal data.

Let’s take a look at an example of a business that must comply with GDPR data transfer requirements below. This is based on an example posted by the EC.

A company based in France is planning to expand its services to Argentina, Uruguay, and Brazil. Both Argentina and Uruguay have been declared adequate by the EC. Brazil has not been the subject of an adequacy decision. How can the French company transfer to all three companies while complying with GDPR data transfer requirements?

The French company would be able to transfer personal data to Argentina and Uruguay without any additional safeguards because they have been declared adequate. In order to transfer data to Brazil however, the company would have to provide appropriate safeguards, like binding corporate rules or agreements containing contractual clauses that ensure organizational and technical safeguards are in place.

FAQs

What constitutes a data transfer under GDPR?

Under GDPR, a processing of personal data constitutes as a data transfer to a third country (ie. a country outside the EEA) or international organization if it meets the following three criteria:

The data controller or processor (or "data exporter") is subject to the GDPR for the given processing.
The "data exporter" transmits or otherwise makes personal data available to a “data importer”.
The “importer” is in a third country outside the EEA, or is an international organization.

What does the adequacy decision mean?

An adequacy decision means that a third country has been declared as offering an equivalent level of protection for personal data as the EU by the European Commission, so a data exporter can transfer data to a company in that country without needing to adopt further data protection safeguards or being subject to additional conditions.

Can you transfer data outside the EU according to GDPR?

Yes, but only if the EC reached an adequacy decision about the country where the receiver is based or it matches one of the cases below:

The transfer is covered by the appropriate safeguards listed in GDPR Article 46
You have informed the data subject of possible risks and have their explicit consent
The data transfer is necessary to fulfill contractual obligations with the data subject
The data transfer is in the public interest or will protect an individual’s vital interests
The data transfer is required to establish or defend a legal claim
The transfer is being made from a public register
It’s a one-off transfer that is in your legitimate interest

Data Transfer Requirements

FAQs

GDPR Overview

What is GDPR Compliance?

Who Does GDPR Apply To?

Who Enforces GDPR?

GDPR Fines and Penalties

GDPR Requirements

What Are GDPR Compliance Requirements?

What Is Personal Data Under GDPR?

A Guide to GDPR Data Subject Rights

GDPR Data Privacy Principles

Data Controller and Data Processor Requirements

Data Transfer Requirements

Automating GDPR Compliance

Manual vs. Automated: Simplify GDPR Compliance

The Cost Benefits of GDPR Compliance Automation

Security Insights

Maintaining GDPR Compliance

GDPR Tools and Resources

GDPR Privacy Notice Examples

GDPR Cookie Consent Notice Template

GDPR Training

Why Secureframe

Products

Features

Solutions

Top Frameworks

Partner Program

Audit Partners

Channel Partners

Resources

Featured

Company

Data Transfer Requirements

Data Transfer Requirements

Example

FAQs

GDPR Overview

What is GDPR Compliance?

Who Does GDPR Apply To?

Who Enforces GDPR?

GDPR Fines and Penalties

GDPR Requirements

What Are GDPR Compliance Requirements?

What Is Personal Data Under GDPR?

A Guide to GDPR Data Subject Rights

GDPR Data Privacy Principles

Data Controller and Data Processor Requirements

Data Transfer Requirements

Automating GDPR Compliance

Manual vs. Automated: Simplify GDPR Compliance

The Cost Benefits of GDPR Compliance Automation

Security Insights

Maintaining GDPR Compliance

GDPR Tools and Resources

GDPR Privacy Notice Examples

GDPR Cookie Consent Notice Template

GDPR Training