What rules apply if my organisation transfers data outside the EU?

In today’s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries. The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').

The GDPR provides different tools to frame data transfers from the EU to a  third country:

• sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU.
• in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include:
  • in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
  • contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
  • adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
• finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.

You're a French company intending to expand its services to South America, notably Argentina, Uruguay and Brazil. The first step would be to check whether those third countries are subject to an Adequacy Decision. In this case, both Argentina and Uruguay have been declared adequate. You’d be able to transfer personal data to those two third countries without any additional safeguards while for transfers to Brazil which is not the subject of Adequacy Decision, you’ll have to frame your transfers by providing appropriate safeguards.

• Chapter V, Articles (44 to 50) and Recitals (101) to (116) of the GDPR
• EDPB's latest guidelines on International transfers:
  • EDPB guidelines on Adequacy Referential
  • EDPB guidelines on Binding Corporate Rules for Controllers
  • EDPB guidelines on Binding Corporate Rules for Processors
• See also for reference the European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World1, 10 January 2017

1 COM(2017)7 final