The transfer of personal data from the EU to third countries is a special chapter. The transfer to countries for which an adequacy decision of the European Union exists is not problematic. These are currently:
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea (South Korea)
- United Kingdom
Even in the presence of an adequacy decision, details of the transfer may need to be considered for legality.
The transfer to all other third countries must be checked and provided with appropriate guarantees in order to be put on a legal basis.
Transfer to the United States
A special situation arises in the transfer of personal data to the United States of America since the European Court of Justice (ECJ) in the so-called “Schrems II – judgment” overturned the privacy shield and allowed processing under the umbrella of standard data protection clauses (SCC) only under certain conditions.
Almost all companies use services in the USA with often dubious legal protection. Following the aforementioned ECJ ruling, the authorities have increasingly moved to check the transfer of personal data, issue orders and, if necessary, threaten or impose fines.
Standard data protection contract clauses (SCC) are not sufficient
According to the aforementioned Schrems II ruling, additional technical and organizational measures would have to be introduced to supplement the protection provided by the standard data protection contract clauses in order to place the processing on a legally secure basis. In these cases, a case-by-case examination is required.