Chapter 5: Transfers of personal data to third countries or international organisations
Transfers of personal data to third countries or international organisations
General principle for transfers
Transfers outside EEA only if conditions in Chapter 5 are met to ensure level of protection is not undermined.
Transfers on the basis of an adequacy decision
Transfers permitted to countries deemed by Commission to provide adequate level of protection.
Transfers subject to appropriate safeguards
Transfers permitted with safeguards: SCCs, BCRs, codes of conduct, certifications.
Binding corporate rules
BCRs allow intragroup transfers within multinational, subject to supervisory authority approval.
Transfers or disclosures not authorised by Union law
Foreign court/authority orders for data transfer only enforceable via international agreements.
Derogations for specific situations
Limited derogations allowing transfers: explicit consent, contract performance, public interest, legal claims.
International cooperation for the protection of personal data
Commission and supervisory authorities to develop international cooperation mechanisms.