The GDPR imposes restrictions on the transfer of personal data outside the EEA. Currently the EEA countries are:
Personal data may only be transferred outside the EEA in compliance with the following circumstances:
Adequacy decision by the Commission
Data transfers outside the EEA may be made where the European Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. Currently, the following countries are considered as having adequate protection:
|Guernsey||Israel||Isle of Man||Jersey|
* (Commercial organisations only):
Transfers subject to appropriate safeguards
Organisations are able to transfer personal data where the organisation receiving the personal data has provided adequate safeguards including, but not limited to:
- binding corporate rules; or
- standard data protection clauses in the form of template transfer clauses adopted by the Commission.
Derogations from the prohibition of transfers outside the EEA
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.