The general restriction on transfers outside the EEA
The GDPR lets personal data flow freely between member states, but transfers to any country outside the EEA are restricted. A transfer to a third country (or an international organisation) is only lawful if one of three conditions in Chapter 5 of the GDPR is met: an adequacy decision, appropriate safeguards, or a derogation. The aim is to stop the EU's level of protection being undermined once data leaves Europe.
One objective of the GDPR is the free flow of personal data between member states. But the GDPR treats transfers to countries outside the EEA as needing special care. Transfers to a third country may only take place subject to the conditions of Chapter 5.
- The third country ensures an as determined by the European Commission; or
- In the absence of adequacy, the controller or processor provides appropriate safeguards - on condition that enforceable data subject rights and effective legal remedies are available; or
- In the absence of adequacy or safeguards, the transfer fits within one of the for specific situations.
The same restriction applies to transfers to an international organisation - a body governed by public international law or set up by agreement between two or more countries.
Recital 101 recognises cross-border flows are necessary for international trade, but says the EU's level of protection must not be undermined. In effect this imposes EU data protection standards on jurisdictions outside Europe, and is seen as a barrier to international commerce.