International data transfers

3. Transfers towards a country outside the European Economic Area without an adequate level of protection

When a country outside the EEA is not recognised by the European Commission as offering an adequate level of protection, there are several options that can be used to transfer personal data to these countries.

The CNPD recommends, as its EU counterparts, a layered approach to transfers consisting of considering first whether the third country provides an adequate level of protection and ensuring that the exported data will be safeguarded in the third country. If there is no adequacy decision, data exporters should first endeavour to apply appropriate safeguards provided for by Articles 45 and 46 of the GDPR (contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, or specific safeguards for transfers between public authorities or bodies) to the transfer. It is only in the absence of such guarantees that the data exporters should use the derogations provided for in Article 49 of the GDPR.

Dernière mise à jour