[Last reviewed: January 2025]

Yes.

A third country is not defined in the GDPR, but means countries (1) outside of the European Union, and (2) countries outside of the European Economic Area.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒   approved adequate/whitelisted jurisdictions

☒   to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)

☒   approved standard contractual clauses

☒   binding corporate rules

☒   derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims

☒   other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

ad-hoc contracts approved by the data protection authority