top of page
Writer's pictureDeborah

Under the EU GDPR, personal data may be transferred to a country outside the EU/EEA by meeting the requirements set out in article 46 of the regulations.


Controllers or processors may transfer personal data to receivers outside the EU/EEA:“only if [they have] provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (art.46 (1)). Such safeguards are listed in article 46 (2) of the regulations and include the following:

  • Binding corporate rules

  • Standard data protection clauses adopted by the Commission of a supervisory authority

  • An approved code of conduct

  • An approved certification mechanism

In June 2021, the European Data Protection board (EDPB) published its final recommendations on the lawful transfer of personal data in third countries. EDPB’s transfer impact assessment (TIA) contains a total of 6 steps organizations must take, namely:

  • Know/map their transfers

  • Verify the transfers tools

  • Assess the effectiveness of the transfer tools.

  • Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.

  • Take procedural steps for the adoption of the supplementary measure identified

  • Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.

UK ICO’s TRA tool is an alternative to the approach taken by EDPB.


Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used...

Comentarios


bottom of page