Preparing for GDPR - What's the Deal on International Data Transfers?
I'm sure you've heard about it by now, but if not - the upcoming EU General Data Protection Regulation puts in place stringent new standards for ensuring adequate safeguards for most international transfers of personal data.
Basically, apart from in all the situations explained later in this article, you can only transfer personal data to other countries by legally protecting it - mainly through "model contractual clauses" issued by the EU Commission or using "binding corporate rules" with specific information requirements to lock into place adequate data protection standards when that data is processed in other countries.
Now, as alluded to earlier, these extra safeguards don't apply if you're transferring data to EEA countries (all the EU member states + Norway, Iceland and Liechtenstein). They don't apply either to a specific list of other countries which have been deemed to have "adequate" data protection laws and regulatory structures already in place by the EU Commission. These countries are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.