Can I process data outside the EEA under the GDPR?
The GDPR allows for the transfer of data to countries outside the European Economic Area (so-called “third countries”) to ensure international trade and cooperation.
Under the GDPR, the transfer of personal data to third countries may take place provided certain conditions are met. You can transfer data to third countries that ensure an adequate level of protection, as recognized by the European Commission, such as (as of the article’s update): Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, United Kingdom, South Korea and USA (if the receiver adheres to the EU-U.S. Data Privacy Framework). In those countries, national legal regulations provide a level of protection for personal data which is comparable to those of EU law. Data can therefore be transferred to these third countries without the need to apply additional safeguards or meet further conditions.
To transfer data to a third country that does not ensure an adequate level of protection, so there is no adequacy decision of European Commission, you need to make sure that the personal data will be adequately protected by the recipient, and provided that enforceable rights of the data subjects apply, along with effective legal remedies.
Appropriate safeguards can be provided, among other ways, by using standard contractual clauses approved by the European Commission, and for data transfers within a companies’ group through so-called binding corporate rules, or through the commitment to comply with codes of conduct, which have been declared by the European Commission as being generally applicable.
There are also several exceptions, which authorize data transfer to a third country which is not covered by a decision establishing an adequate level of protection, and no appropriate safeguards are in place. One of the exceptions is obtaining consent, which in this case means the consent of the data subject, after informing them of the risks associated with such a transfer.
This content is provided for educational purposes only. GDPR is fact-specific and the way it applies to your organization may differ from what’s discussed in this article. Please do not treat it as a substitute of a professional legal opinion. Always consult your lawyer or other professionals responsible for data protection within your organization. GetResponse can’t be held liable for any indirect, special, incidental, or consequential damages arising out of any use of or reliance on any content or materials included here.
