What rules apply to the data transfers outside the EU?
Entities in the EU that transfer personal data to an entity outside the EU (e.g. to controllers, processors or other recipients in third countries or to international organisations)(18)) have to comply with the rules on international transfers (Chapter V of the GDPR). The GDPR has not changed the rules that already existed under Directive 95/46 (and that have been in place for more than 20 years), but expanded the possibilities to use existing transfer instruments and introduced new transfer tools. This allows EU entities to adopt the approach that is most suitable for their specific situation. Depending on the situation, transfers can for example take place on the basis of an adequacy decision (i.e. where the Commission has decided that a third country or international organisation ensures an adequate level of protection), on the basis of an agreement or arrangement that contains appropriate data protection safeguards (Article 46 GDPR), or on the basis of one of the derogations listed in Article 49 GDPR (e.g. for important reasons of public interest).
The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official GDPR guidance documents for operational use.
This information was sourced from the European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation.