2.7 What should I think about when transferring data to other countries or international organizations?

The GDPR ensures uniformity of privacy policy within the EU, allowing free movement of personal data  within the EEA  (28 EU member states + Norway, Iceland, Liechtenstein).

Transfer of personal data to countries  outside the EEA  or international organizations  is only permitted if the country or organization in question can guarantee an "adequate level of protection" for the processing of personal data.

The European Commission has already issued an adequacy statement to a number of countries   confirming that the country has an adequate level of protection. The most recent list of countries can be found here [add link]. There is no appropriate level of protection for the United States in general. However, the EU-US Privacy Shield is recognized by the Commission as adequate, allowing personal data to be transferred to organizations and companies certified under the Privacy Shield.

If a country is not on the list of adequacy decisions, there are a number of other options for arranging the transfer of data:

• The  use of standard provisions  in an agreement / contract between your own institution and the receiving institution (see also 2.8)
• It  explicitly ask permission to the persons concerned  for the occasional transfer of data. The persons involved must also be informed of the risks that this transfer may entail for him.

It is important to make your own assessment of the potential risks for those involved, taking into account, on the one hand, the nature of the personal data and, on the other hand, the guarantees offered by the organization concerned and the privacy legislation that exists in the country concerned.