Module 7 · The landscape: three options in order
When personal data leaves the EEA (the EU plus Iceland, Liechtenstein and Norway) it must stay protected to an EU-equivalent standard, and this applies to onward transfers too. First confirm there is an Article 6 legal basis to process at all. Then work through the transfer mechanisms strictly in order: (1) , (2) appropriate safeguards, (3) derogations. The controller must also inform data subjects about the transfer - whether or not an adequacy decision exists, and which safeguards are used.
A transfer of personal data out of the EEA is only allowed if protection travels with the data. The GDPR sets up a clear hierarchy. You do not get to pick freely - you consider the mechanisms in order.
- First, check there is an Article 6 legal basis - a transfer mechanism is not a substitute for a lawful basis to process.
- (1) Is there an adequacy decision for the destination country? If yes, no extra safeguards needed.
- (2) If not, can you use appropriate safeguards (SCCs, BCRs, codes/certification, ad hoc clauses, international agreements)?
- (3) Only if neither applies, can a derogation under Article 49 justify the transfer?
The order is fixed: adequacy → appropriate safeguards → derogations. Derogations are a last resort, not an alternative you reach for first. And the controller must always inform data subjects about the transfer and the safeguard used.
The duty to protect follows the data even after it arrives - onward transfers from the first recipient to a further party must also meet the adequate-protection standard.