The protection provided by the GDPR is intended to travel with the Personal data whether within or outside of the EU/EEA.
Transfers of personal data to third countries (other than stated as above) should not be made in accordance with a judgment of a court or tribunal or any decision of an administrative authority of a third country requiring a controller or processor unless it is based on an international agreement or treaty.
Transfers of personal data to the US were until very recently, deemed compliant provided they were made subject to the privacy shield. Following a case brought Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”) and heard in July 2020 the CJEU affirmed the validation of Standard Contract Clauses (SCC’s) and invalidated the Shield. The issue remains live as the difficulty is two fold: THE NEXT BIT IS MISSING FROM JANE’S DRAFT – SHEET 3
SCHREMS II
In July 2020 the European Court invalidated the Privacy Shield, and hence all but exempt transfers to the US are now non- THE REST OF THIS SENTENCE IS ALSO MISSING FROM THE END PAGE OF JANE’S DRAFT
References
FAQ’s on the Schrem’s case:
https://edpb.europa.eu/our-work-tools/our- documents/other/frequently-asked-questions-judgment-court-justice-european-union_en
ICO guidance with an overview of international transfers and links to further reading
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/international-transfers/
Chapter V, Articles (44 to 50) and Recitals (101) to (116) of the GDPR EDPB’s latest guidelines on international transfers:
EDPB guidelines on Adequacy Referential
EDPB guidelines on Binding Corporate Rules for Controllers
EDPB guidelines on Binding Corporate Rules for Processors See also for reference the European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World1, 10 January 2017