Any transfer of personal data, which are undergoing processing or which will be processed after the transfer, to a country outside the European Economic Area (i.e. European Union, Liechtenstein, Norway and Iceland) (the “EEA”) or to an international organisation shall take place only under certain conditions.
These conditions are additional to the obligations applicable to controllers and processors. Hence, a two-step test must be applied:
- firstly, the processing must have a legal basis and must comply with all relevant provisions of the GDPR (e.g. lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to the data subjects);
- secondly, the provisions applicable to international data transfers must be complied