Transferring personal data internationally is deemed higher risk and therefore safeguards, designed to provide the data subject with further protection, must be in place when transferring personal data. The laws of some countries are deemed ‘adequate’ by the EU as they are robust enough to provide the protection to the data subject without further change.
A transfer of personal data outside of any of the adequate countries or to organisations not on the US Privacy Shield list requires that the organisations making the transfer have safeguards in place to protect the data.
So, if you are transferring personal data internationally and the country is not deemed to be adequate you need to ensure that appropriate safeguards are in place.
These might be:
- A legally binding instrument between public authorities or bodies
- Binding corporate rules
- Standard data protection clauses, generally within a contract
- An approved code of conduct
- An approved certification mechanism
If the country is not deemed adequate or the appropriate safeguards are not in place, then the data transfer cannot take place unless one of a series of derogations (exceptions) are available.