Last reviewed: December 2024

Yes.

Although 'third countries' are not defined in the GDPR, it is the prevailing view that it refers to countries outside of the European Economic Area.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒   approved adequate/whitelisted jurisdictions

☒   to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)

☒   approved standard contractual clauses

☒   binding corporate rules

☒   derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims

☒   other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

The GDPR leaves room for adequate safeguards to be provided through other means, including standard data protection clauses adopted by a supervisory authority or an approved code of conduct or certification mechanism together with binding and enforceable commitments of the data importer.

Apart from having a legal basis for the data transfer, a so-called 'transfer impact assessment' must be conducted prior to the data transfer. This assessment should reveal whether the data, when transferred, will be adequately protected in line with EU law standards (taking into account e.g., the legal framework on data protection and access rights by local authorities or national security agencies in the data receiving country) or whether any supplementary measures must be taken to increase the level of protection. If the assessment reveals an inadequate level of protection, despite supplementary measures, the transfer may not take place.