Can I process data outside the EU under the GDPR?
The GDPR allows the transfer of personal data to non-EU countries (so-called “third countries”) to ensure international trade and cooperation.
You can transfer data to countries, that ensure an adequate level of protection: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, United Kingdom, South Korea and USA (if the receiver belongs to the Data Privacy Framework). In those countries, national legal regulations provide a level of protection for personal data which is comparable to those of EU law.
To transfer data to a third country, that does not ensure an adequate level of protection, so there is no adequacy decision of European Commission, you need to make sure that the personal data will be protected by the recipient.
This can be assured e.g. by using standard contractual clauses, for data transfers within a companies’ group through so-called binding corporate rules, or through the commitment to comply with codes of conduct, which have been declared by the European Commission as being generally applicable.
There are several exceptions, which authorise data transfer to a third country, even if the protection of personal data can’t be sufficiently assured. Most frequently, the consent of the data subject is required here.
This content is provided for educational purposes only. GDPR is fact-specific and the way it applies to your organization may differ from what’s discussed in this article. Please do not treat it as a substitute of a professional legal opinion. Always consult your lawyer or other professionals responsible for data protection within your organization. GetResponse can’t be held liable for any indirect, special, incidental, or consequential damages arising out of any use of or reliance on any content or materials included here.
