Any transfer of personal data, which are undergoing processing or which will be processed after the transfer, to a country outside the European Economic Area (i.e. European Union, Liechtenstein, Norway and Iceland) (the “EEA”) or to an international organisation shall take place only under certain conditions.
These conditions are additional to the obligations applicable to controllers and processors. Hence, a two-step test must be applied:
- firstly, the processing must have a legal basis and must comply with all relevant provisions of the GDPR (e.g. lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to the data subjects);
- secondly, the provisions applicable to international data transfers must be complied
- 1. Transfers within the European Economic Area (European Union, Liechtenstein, Norway and Iceland)
- 2. Transfers towards a country outside the European Economic Area with an adequate level of protection
- 3. Transfers towards a country outside the European Economic Area without an adequate level of protection
- 4. International cooperation in the field of Police and Justice
- The impact of Brexit on international data transfers