International transfers
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) recognizes the principle of free movement of personal data across the European Union or the European Economic Area respectively. Given this principle, it is not possible to prohibit or to restrict data transfers from a member state to another for the sole reason of protection of individuals with regard to the processing of their personal data. The main principle governing data transfers to third countries is the adequacy of data protection which means that a transfer may only be made, if the third country guarantees the adequate level of protection.
When transferring personal data outside the European Economic Area (EEA), the GDPR Chapter V distinguishes, with regard to the way guarantees are provided or not provided for the protection of the transferred data, among three levels of transfer:
Transfers based on adequacy decision
Adequate level of protection provided in a third country or in a certain sector in that country is acknowledged by a decision of the European Commission (more details here).
Transfers based on appropriate guarantees of the controller/data exporter
Countries outside the EEA (or international organizations) not declared by the European Commission´s adequacy decision as safe are considered as third countries with insufficient level of data protection. Generally, transfers to such countries is possible only on the basis of appropriate safeguards pursuant the GDPR Article 46 (more details here). The European Data Protection Board (EDPB) issues guidelines and opinions concerning the establishment of such appropriate safeguards.
Transfers based on exemptions for specific situations
In specific situations where transfers to the third countries not providing adequate level of protection and the creation of appropriate safeguards is not feasible, personal data may be transferred on the basis of exemptions listed in the GDPR Article 49. More detailed interpretation concerning the application of these exemptions can be found in the EDPB guidelines on the Article 49 derogations (more details here).