Last review date: December 2024

Yes.

Third country is not defined in the GDPR, but means countries outside of the European Economic Area.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

• approved adequate/whitelisted jurisdictions
• to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)
• approved standard contractual clauses
• binding corporate rules
• derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
• other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

ad-hoc contracts approved by the data protection authority

Note: regarding "holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority," the certification may be received or the code of conduct approved only in line with the GDPR. In light of the rulings of the Court of Justice of the European Union, the approval by a data protection authority of a country that is not a member of the EU does not necessarily safeguard the rights, freedoms and interests of the data subjects (decision in case no. C-311/18; "Schrems II decision," invalidating the EU/US Privacy Shield Framework as a tool for personal data transfer to third countries).