Personal data can be freely transferred within the European Economic Area (EU + Iceland, Norway and Lichtenstein) providing, of course, that the principles of the GDPR are respected. In other words, personal data may flow within the borders of the EEA as easily as within the borders of one Member State.
Transfer to third countries is possible if:
- the European Commission has decided that the third country ensures an adequate level of data protection ("adequacy decision"), OR;
- the transfer is subject to appropriate safeguards, such as binding corporate rules, or standard contractual clauses for data transfers adopted by the European Commission, OR;
- exceptionally, if the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
Countries that provide for an adequate level of data protection
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea.
Special case: The United States
Transfer of personal data from the EU to the United States is governed by a special framework called the Privacy Shield, an agreement whereby participating companies are deemed as having adequate protection. Privacy Shield certification is held by Amazon, Dropbox, Microsoft, Google, Facebook, and 2600+ other entities (for a full list, see here). Such companies are (somewhat controversially for some) regarded as providing adequate level of protection, and can receive transfers of personal data from the EEA.
To transfer data to a US recipient that has not signed up to the Privacy Shield Framework, researchers should contact their data protection officer to consider alternative arrangements (see above).