EU data protection rules apply to the European Economic Area (i.e. the European Union, Liechtenstein, Norway and Iceland, hereafter the “EEA”). Personal data may therefore be transferred freely within this territory, provided that the processing complies with the general obligations applicable to controllers and processors provided for by the General Data Protection Regulation 2016/679 (the “GDPR”) .
However, a transfer of personal data subject to processing to a country outside the European Economic Area (a “third country”) or to an international organisation shall take place only under certain conditions as described in Chapter V of the GDPR. These requirements are additional to the general obligations provided by the “GDPR”. Hence, a two-step assessment must be applied:
- first, the transfer of personal data (as a processing activity) must have a legal basis and must comply with all relevant provisions of the GDPR (e.g. lawfulness of processing, transparency, accountability, etc.);
- second, the provisions applicable to international data transfers provided for in Chapter V of the GDPR must be complied with. Thus, transfers of personal data to a third country is only possible if:
- the data transfer is covered by an adequacy decision issued by the European Commission according to article 45 of the GDPR; or
- otherwise, if the data exporter can demonstrate the existence of appropriate safeguards as stated under article 46 of the GDPR; or
- otherwise, if the transfer falls under any of the derogations foreseen in article 49 GDPR.