Under the EU GDPR, personal data may be transferred to a country outside the EU/EEA by meeting the requirements set out in article 46 of the regulations.
Controllers or processors may transfer personal data to receivers outside the EU/EEA:“only if [they have] provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (art.46 (1)). Such safeguards are listed in article 46 (2) of the regulations and include the following:
Binding corporate rules
Standard data protection clauses adopted by the Commission of a supervisory authority
An approved code of conduct
An approved certification mechanism
In June 2021, the European Data Protection board (EDPB) published its final recommendations on the lawful transfer of personal data in third countries. EDPB’s transfer impact assessment (TIA) contains a total of 6 steps organizations must take, namely:
Know/map their transfers
Verify the transfers tools
Assess the effectiveness of the transfer tools.
Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
Take procedural steps for the adoption of the supplementary measure identified
Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
UK ICO’s TRA tool is an alternative to the approach taken by EDPB.