The Data Protection Directive applies to countries of the European Economic Area (EEA), which includes all EU countries and in addition, non-EU countries Iceland, Liechtenstein and Norway.
Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection.
Without such precautions, the high standards of data protection established by the Data Protection Directive would quickly be undermined, given the ease with which data can be moved around in international networks.
The Directive states that personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed.
The Data Protection Directive requires that data transfers should not be made to non-EU /non-EEA countries that do not ensure adequate levels of protection. However, several exceptions (or “derogations”) to this rule could be applicable.
Read more on international transfers of personal data:
- Binding Corporate rules
- Commission decisions on the adequacy of the protection of personal data in third countries
- Model Contracts for the transfer of personal data from the EU/EEA to third countries
- Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP)
- Frequently asked questions
- Communication on Exchanging and Protecting Personal Data in a Globalised World