Last review date: 17 December 2024
Yes.
Third country is not defined in the GDPR, but means countries (1) outside of the European Union, and (2) countries outside of the European Economic Area.
Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:
- approved adequate/whitelisted jurisdictions
- to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)
- approved standard contractual clauses
- binding corporate rules
- derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
- other solutions:
ad-hoc contracts approved by the data protection authority
If the transfer is based on "appropriate safeguards" data exporters and data importers are additionally required to carry out a "data transfer impact assessment" and, if applicable, to implement supplementary measures.
The German Data Protection Conference (conference consisting of all independent German Federal and State Data Protection Supervisory Authorities) published guidance with respect to the EU-US Data Privacy Framework in September 2023 (only available in German here).