What are the requirements for ‘cross-border data transfers’ under EU Data Protection Law?

Key points

European Data Protection Law prohibits transfers of personal data outside the EEA unless one of the following three exceptions applies: Adequacy, appropriate safeguards and derogations.

The restriction is meant to ensure that the rights of the individuals are adequately protected even when data is transferred to organizations that are not under the jurisdiction of one of the EEA countries.

European Data Protection Law restricts the transfer of personal data to countries outside the EEA, or international organizations. These restrictions apply to all transfers, no matter the size of transfer or how often they are carried out (see Chapter V of GDPR: Article 44–50 Transfer of Personal Data to Third Countries or International Organizations).

Under Article 44 of the GDPR:

Art. 44: General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the…