Any controller wishing to transfer personal data outside the EEA must first ensure that the country of destination offers an adequate level of protection. If the level of protection of the destination country can be considered adequate, the personal data may be transferred in the same manner as if they were transferred within the EEA.
The general principles of the GDPR (e.g. lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to data subjects) must, in all circumstances, be observed.
The European Commission is authorised to decide that a country, a territory or one or more specified sectors within that third country, or an international organisation offers an adequate level of protection, and has done so for the following countries:
- Canada (only for commercial organisations subject to the Canadian « Personal Information Protection and Electronic Documentation Act »);
- the Faroe Islands;
- Isle of Man;
- apan (only for personal information handling business operators subject to the Japanese “Act on the Protection of Personal Information” as complemented by the “Supplementary Rules set”);
- New Zealand;
- Uruguay; and
- the United States of America (limited to the « EU-U.S. Privacy Shield Framework »).
Adequacy talks are also ongoing between the European Commission and South Korea.