Last review date: 27 December 2024

Yes.

Third country is not defined in the GDPR but means countries (1) outside of the European Union, and (2) countries outside of the European Economic Area.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒   approved adequate/whitelisted jurisdictions

☒   to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)

☒   approved standard contractual clauses

☒   binding corporate rules

☒   derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims

☒   other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

In case of a singular transfer that only affects a limited number of data subjects and where legitimate interests can be demonstrated following a balancing test, the data subject and the Data Protection Authority shall also be informed about the transfer. Please note that the transfer also requires that the controller has assessed all the circumstances surrounding the data transfer and has, based on that assessment, provided suitable safeguards with regard to the protection of personal data.