Can I transfer data outside the European Union?

Location where data is stored is a paramount criteria for controllers. If servers hosting data are located in the European Union or in an adequate country, data transfers can be operated without additional safeguards as these countries’ legislations are protective enough of personal data and individuals’ rights.

If servers hosting data are not located in the European Union, nor in an adequate country, appropriate legal safeguards compliant with Article 46 of the GDPR must be put in place.

Most used legal safeguards regarding SaaS tools are Standard Contractual Clauses for data transfers. SCCs are templates considered adequate by the European Commission which can be incorporated into any transfer contract.

However, following the decision of the EU Court of Justice known as "Schrems II", data transfers towards certain countries like the US now require complementary measures. For instance:

  • Technical complementary measures: encryption, pseudonymisation, anonymization, etc.
  • Contractual complementary measures: additional clauses, revision of existing contract, etc.
  • Organizational complementary measures: team awareness, internal documentation, etc.
Definition

What's a Privacy Policy?

A Privacy policy is an official document in which you need to sum up the goals and commitments you've settled in terms of privacy and data protection regarding your clients', employees' or customers' personal data. This document is to be published on your website and tool for everyone to see and read, your data subjects, third parties as well as supervisory authorities.
Definition

What's a data breach notification

A personal data breach is a breach of security resulting in the destruction, loss, alteration or unauthorized disclosure of personal data.According to Article 33 of the GDPR, as a processor, you must notify controllers of any personal data breach as soon as possible after becoming aware of it and offer your assistance to assess the impacts on data subjects’ lives.
Definition

What's the legal basis for a processing activity?

To process personal data a valid lawful basis is necessary. There are six available lawful bases for processing:Consent: The data subject has given clear and affirmative consent to the processing of their personal data for a specific purpose.Contract: The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

Become GDPR compliant in minutes!

Privacyboard helps you comply with GDPR easily so you can focus on what's really important for your business.
Start for free
Privacyboard

Product

PricingAbout

Ressources

BlogSubprocessorsKnowledge CenterGlossarySupervisory AuthoritiesEmail Templates

Legal

Privacy PolicyCookie PolicySubprocessorsRight RequestsTerms
Made in  🇪🇺  with  ☕️