In today’s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Therefore, the GDPR applies to:

  1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

Processing” is a broad term that covers just about anything a company or organisation can do with data: collection, storage, transmission, analysis, etc.

Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on.

The protection offered by the General Data Protection Regulation (GDPR) travels with the data. Meaning to say, the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').

The GDPR provides different tools to frame data transfers from the EU to a  third country:

1.  sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU;

2.  in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include:

  • in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
  • contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
  • adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.

3.  finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.

Find out what business and organisation must do to comply with EU data protection rules on ec.europa.eu.

Return to FAQs or read "What is your definition of business failure?"


Create a free account to discover insights and learn business failures.

Last edited on 25 November 2019.