The transfer of personal data outside of the EU is only allowed under certain conditions as set out in Directive 95/46/EC and also in the General Data Protection Regulation which will be fully applicable as of May 2018. If a country is deemed by the European Commission to offer an adequate level of protection, it will be subject to the same rules as an EU Member State, which means that the recipient of the data in that state will not be obliged to take specific measures to allow for the transfer. Transferring data to a country without an adequacy decision requires appropriate safeguards, such as standard contractual clauses or binding corporate rules. Derogations to this rule can be obtained in very specific cases. The European Data Protection Board, of which the EDPS is a member, will provide the Commission with Opinions on this subject.
Opinion on the proposal for a Council Regulation on administrative cooperation and combating fraud in the field of value added tax (recast), OJ C 66, 17.03.2010, p.1
Opinion on the proposal for a Council Regulation amending Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban, OJ C 276, 17.11.2009, p. 1
Letter to the Commission concerning the draft Commission decision on standard contractual clauses for the transfer of personal data to processors established in third countries
EDPS Comments on the Recommendation from the Commission to the Council to authorise opening of negotiations between the European Union and the United States of America for an international agreement to make available to the United States Treasury Department financial messaging data to prevent and combat terrorism and terrorist financing