International data transfers

2. Transfers towards a country outside the European Economic Area with an adequate level of protection

Any controller wishing to transfer personal data outside the EEA must first ensure that the country of destination offers an adequate level of protection. If the level of protection of the destination country can be considered adequate, the personal data may be transferred in the same manner as if they were transferred within the EEA.

The general principles of the GDPR (e.g. lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to data subjects) must, in all circumstances, be observed.

The European Commission is authorised to decide that a country, a territory or one or more specified sectors within that third country, or an international organisation offers an adequate level of protection, and has done so for the following countries:

  •  Andorra;
  • Argentina;
  • Canada (only for commercial organisations subject to the Canadian « Personal Information Protection and Electronic Documentation Act »);
  •  the Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • apan (only for  personal information  handling  business  operators  subject  to  the  Japanese “Act  on  the  Protection  of Personal  Information”  as  complemented  by  the  “Supplementary  Rules  set”);
  • Jersey;
  • New Zealand;
  • Switzerland;
  • Uruguay.

Adequacy talks are also ongoing between the European Commission and South Korea.

Dernière mise à jour