General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

• European Union member states;
• European Economic Area states;
• Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
• States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

• the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
• the transfer is necessary for important reasons of public interest;
• the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
• the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

According to the provisions of the law No. 18-07, the data controller may only transfer personal data to a foreign State with the authorisation of the national authority in accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data. 

However, Article 45 of the law No 18-07 provides derogations from the general provisions for transferring personal data (free translation):

“Article 45: In derogation from the provisions of Article 44 of this law [general provisions explained above], the data controller may transfer personal data to a State that does not meet the conditions specified in the said article [a sufficient level of protection for privacy and the fundamental freedoms and rights of individuals] under the following circumstances:

1. If the data subject has expressly consented to the transfer;
2. If the transfer is necessary for:
   1. Preserving the life of the data subject;
   2. Preserving public interest;
   3. Fulfilling obligations to establish, exercise, or defend a legal right;
   4. Executing a contract between the data controller and the data subject or for pre-contractual measures at the request of the data subject;
   5. Concluding or executing a contract in the interest of the data subject between the data controller and a third party;
   6. Executing a measure of international judicial cooperation;
   7. Preventing, diagnosing, or treating medical conditions.
3. If the transfer is carried out under a bilateral or multilateral agreement to which Algeria is a party.
4. With the authorization of the national authority, if the processing complies with the provisions of Article 2 of this law.”

In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect public security or the vital interests of the State.

International transfers of personal data to countries with an adequate level of protection require prior notification to the APD. An adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. APD decides which countries ensure an adequate level of protection by issuing an opinion to this respect.

International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior authorization from the APD, which will only be granted if specific requirements are met. For transfers between companies in the same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and mandatory internal rules on data protection and privacy.

Please note that the communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific legal conditions and requirements.

Transfers and disclosures to third parties

Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be rescinded.

Consent is not required in the case of transfer of data regarding which consent was not necessary for collection. Also, it is not necessary in the case of transfer of data between state agencies, for purposes of performance of their respective activities, on in connection with health-related data, if the transfer is necessary for public health or emergency reasons, or for the performance of epidemiological studies, provided the identity of the persons to whom such data refer is reserved by means of adequate dissociation mechanism. In addition, consent is not necessary, for personal data generally, if an adequate dissociation mechanism is used in a way such that the data subjects are not identifiable.

Cross-border transfers

The cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not provide adequate protection to such data, unless:

• The data subjects expressly consents to that transfer 

• The transfer is necessary for international judicial cooperation

• The transfer takes place as part of certain exchanges of medical data

• Bank or stock exchange transfers, in the context banking or stock exchange transactions

• The transfer takes place as provided in the context of international treaties to which Argentina is a party

• The transfer has as its purpose the international cooperation between intelligence agencies engaged in combating organized crime, terrorism and drug traffic

Transfer to third parties shall mean an operation aimed at transferring personal data to a certain scope of persons or the public at large or at familiarizing with them, including disclosure of personal data through the mass media, posting in information communication networks or otherwise making personal data available to another person. 

The processor may transfer personal data to third parties or grant access to data without the personal data subject's consent, where it is provided for by law and has an adequate level of protection. 

The processor may transfer special category personal data to third parties or grant access to data without the personal data subject’s consent, where: 

• the data processor is considered as a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection;
• in exceptional cases provided for by law special category personal data may be transferred for protecting life, health or freedom of the data subject. 

Personal data may be transferred to another country with the data subject's consent or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these purposes. 

Personal data may be transferred to another state without the permission of the authorized body, where the given state ensures an adequate level of protection of personal data. An adequate level of protection of personal data shall be considered to be ensured, where:

• personal data are transferred in compliance with international agreements;
• personal data are transferred to any of the countries included in the list officially published by the authorized body.

Personal data may be transferred to the territory of the State not ensuring an adequate level of protection only by the permission of the authorized body where personal data are transferred on the basis of an agreement, and the agreement provides for such safeguards with regard to the protection of personal data which were approved by the authorized body as ensuring adequate protection.

In cases referred to in the previous paragraph the processor of personal data shall be obliged — prior to the transfer of data to another country — to apply to the authorized body to obtain permission. The processor of personal data shall be obliged to specify in the application the country where personal data are transferred, the description of the recipient of personal data (name, legal form), the description (content) of personal data, the purpose of processing and transferring personal data, agreement or the draft thereof. The authorized body shall be obliged to permit or reject the application within 30 days. The authorized body may require from the processor of personal data additional information by observing the time limit for the consideration of the application. In case when the authorized body finds that contractual safeguards are not sufficient, it shall be obliged to specify those necessary changes which will ensure safeguards for the protection of personal data.

Personal data under the disposition of state bodies may be transferred to foreign state bodies only within the scope of interstate agreements, whereas to non-state bodies in accordance with the norms provided above.

National Ordinance Person Registration 

By means of article 9 of the National Ordinance Person Registration, recorded data will only be made available to third parties in accordance with the purpose of the register and if obligated by law or done with the consent of the registered persons. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:

• The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although the use of appropriate contractual provisions is a step towards ensuring compliance with the 'reasonable steps' requirement);
• The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs;
• A "permitted general situation" applies;
• The disclosure is required or authorized by law or a court / tribunal order; or
• A declaration of equivalency has been made by the Governor-General permitting the overseas transfer of personal information to a recipient in a country which has laws substantially similar to the Privacy Act. No declarations of equivalency have been made as yet by the Governor-General.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

Transfer of personal data can be performed with a prior written consent of a data subject, unless the data is of open category.

Section 17 DPA speaks to the international transfer of data. Under Section 17(1) the DPC may prohibit the transfer of personal data from The Bahamas to a place outside The Bahamas in cases where there is a failure to provide protection either by contract or otherwise equivalent to that provided under DPA, subject to certain exceptions. In arriving at a determination to prohibit the international transfer of data, the DPC must consider whether such a transfer would cause damage or distress to any person and consider the desirability of the transfer. Pursuant to Section 17(8) however, data constituting data required or authorized to be transferred under another enactment; or data that is required by any convention or other instrument imposing an international obligation on The Bahamas; or otherwise, data that a data subject has consented to having transferred, will not apply under Section 17.

Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. The Authority has listed the countries in which it deems provides adequate regulatory and legislative protection for personal data. Data controllers would be permitted to transfer personal data directly to the states, countries and territories listed in the regulation, without obtaining prior authorization from the Authority. The list of 83 countries are as follows:

• Andorra, Bulgaria, Denmark, French Guiana, Iceland, Argentina, Canada, Ecuador, Georgia, India, Australia, Chile, Egypt, Germany, Ireland, Austria, China, Estonia, Greece, Isle of Man, Belgium, Colombia, Falkland Islands, Guernsey, Israel, Bolivia, Croatia, Faroe Islands, Guyana, United Kingdom, Brazil, Cyprus, Finland, Hong Kong, Italy, Brunei, Czech Republic, France, Hungary, Japan, Luxembourg, Nigeria, Russia, Switzerland, Jersey, Macau, Norway, San Marino, Thailand, Jordan, Malaysia, Oman, Singapore, Ukraine, Kazakhstan, Malta, Pakistan, Slovakia, United Arab Emirates, Kingdom of Saudi Arabia, Mexico, Paraguay, Slovenia, United States of America, Kuwait, Monaco, Peru, South Korea, Uruguay, Latvia, Morocco, Poland, Spain, Vatican, Liechtenstein, Netherlands, Portugal, Suriname, Venezuela,Lithuania, New Zealand, Romania and Sweden.                       

Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data where:

• the transfer occurs pursuant to a permission to be issued by the Authority on a case-by-case basis, if it deems that the
• data will be sufficiently protected;
• if the data subject has consented to that transfer;
• if the data to be transferred has been extracted from a register that was created in accordance with the PDPL for the purpose of providing information to the public, regardless of whether viewing of this register is available to everyone or limited to the parties concerned in accordance with specific terms and conditions. In this instance, one shall have to satisfy the terms and conditions prescribed for viewing the register before viewing that information;
• if the transfer is necessary for any of the following:
  • to implement a contract between the data subject and the data controller, or to undertake preceding steps at the data subject's request for the purpose of concluding a contract;
  • to implement or conclude a contract between the data controller and a third party for the benefit of the data subject;
  • to protect the data subject's vital interests;
  • to implement an obligation imposed by the PDPL (even if this is contrary to the contractual obligation), or to implement an order issued by a competent court, the public prosecution, the investigating judge or the military prosecution; or
  • to prepare, execute or defend a legal claim.

Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our opinion, transfers would be permitted provided consent of the data subject is obtained.

While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific restrictions that are discussed below.

Banks 

Section 12 of the Bank Companies Act, 1991 has imposed a restriction upon bank companies with regard to removal of documents and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).

The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company. Banks must also maintain confidentiality in banking transactions.

Telecommunication companies 

The Bangladesh Telecommunication Regulatory Commission ("Commission") is the authority that is responsible for regulating telecommunications companies ("telcos") in Bangladesh and issuing licenses to telcos for providing mobile phone services.

The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement applies to "all information provided by the subscriber". As such, telcos will be prohibited from sharing any subscriber information (to entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing, approval from the Commission will be required.

Transfer of personal data is unlawful unless certain conditions are satisfied. Where the data subject has given their consent to the transfer of their personal data, the restrictions on the transfer of the data do not apply. The Act also sets out various other exemptions for the restrictions where transfer of the personal data is necessary e.g. for the performance of a contract between the data subject and the data controller, reasons of substantial public interest, for the purpose of obtaining legal advice, etc. 

Personal data obtained must not be transferred to a country or territory outside Barbados unless that country or territory provides for (a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data and (b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are available, effective legal remedies for data subjects. 

The circumstances for determining an adequate level of protection as well as methods for providing appropriate safeguards including the development of binding corporate rules must submitted to the Commissioner for authorisation. 

The "binding corporate rules" must specify (but not limited to) the following: 

• the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
• the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
• their legally binding nature, both in and outside of Barbados.

The general rule is that cross-border transfer is prohibited, unless a foreign state provides an appropriate level of protection of the personal data subjects’ rights. NPDPC has established that the list of foreign states, which ensure appropriate level of protection. The list includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981 as well as foreign states that are members of the Eurasian Economic Union. There are certain plans to broaden the list of foreign states that provide appropriate level of protection of the personal data subjects’ rights.

However there are certain exceptions, when transfer to the jurisdictions with inappropriate level of protection will be allowed. For example, upon respective consent of the personal data subject and informing of the possible risks or under the individual permit for cross-border transfer issued by NPDPC.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU - U.S. Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Belgium regulation

No general additional requirements relating to transfers are introduced by the Data Protection Act. The Data Protection Act only regulates the transfer of personal data under the special regimes, which in certain cases provides for less leeway for transfers¹.

A personal data processor may transfer data to a foreign country if the receiving country ensures an adequate level of protection for the privacy and human rights and freedoms of the persons concerned.

The level of protection will be assessed according to:

• the data protection laws of the recipient country;
• the safety measures; and
• the processing characteristics (end, duration, nature, origin, destination of processed data).

It is worth noting that a country may not provide sufficient data protection, but if a recipient country is not deemed 'safe' in protecting data, but a data transfer is followed by protective measures such as contractual clauses or internal rules, assent could be provided by the APDP.

For instance, some data, such as biometric data, health data, data related to serious infringements, and data regarding crime, will be considered as involving specific risks for human rights and freedom of individuals' data. These data will need to be approved under Article 41 of the Law on the Protection of Personally Identifiable Information.

PIPA regulates the transfer of personal information to an overseas third party. The legislation provides that the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to ensure that the overseas third party provides comparable protection for the personal information.

There are currenlty no specific requirements for the lawful transfer of personal data.

Personal Data Protection Act BES 

Article 42 of Personal Data Protection Act BES stipulates that personal data that is subject to processing or that are intended to be processed after its transfer may only be transferred to a country outside the European Union if, without prejudice to compliance with the law, that country guarantees an adequate level of protection. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

Under the transfer rules set out in the DP Law, processed personal data may be transferred to countries where an adequate level of personal data protection is ensured. In that regard, preferential status is given to the member states of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention"), as members of the Convention ensure an adequate level of personal data protection.

Personal data transfer to countries that do not provide for an adequate level of personal data protection is allowed in certain cases stipulated by the DP Law, for example:

• When the data subject consented to the transfer and was made aware of possible consequences of such transfer;
• When it is required for the purpose of fulfilling the contract or legal claim; or
• When it is required for the protection of public interest.

In addition, the DPA may exceptionally approve the transfer to a country that does not ensure adequate an level of personal data protection if the controller in the country where the data is to be transferred can provide for sufficient guarantees in regard to the protection of privacy and fundamental rights and freedoms of the data subject.

The Draft Data Protection Law prescribes a set of mechanisms based on which a legitimate transfer of data out of BiH is possible. This means that the Draft Data Protection Law tends, the same as the GDPR, to enable legitimate transfer of personal data whenever there are some safeguards that transferred data will be processed in line with the law.

Aforementioned means the following:

• It should firstly be checked whether a particular country to which the data is to be transferred is regarded as a country with an adequate data protection system (“Adequate Country”);
• If a country to which the data is to be transferred from BiH is the Adequate Country or if there is a data transfer related international treaty entered into between BiH and that country, a transfer is possible without any approval of the Agency (“Transfer Approval”);
• On the other hand, if a country to which the data is to be transferred is not the Adequate Country, a transfer is still possible without the Transfer Approval if the adequate data protection measures are undertaken (e.g., if appropriate standard contractual clauses have been entered into between a data exporter and a data importer) (“Adequate Safeguards”);
• However, even if there are no Adequate Safeguards, there is still a possibility for transferring the data without the Transfer Approval. Such possibility exists in so-called special situations, explicitly prescribed by the Draft Data Protection Law, the same as under the GDPR (e.g., a data subject has consented to a particular transfer, a transfer is necessary for the realization of an agreement between a data subject and data controller, etc.);
• Finally, even if none of the aforementioned special situations is applicable, a data transfer is still allowed without the Transfer Approval if certain conditions (linked to a data controller's legitimate interest) explicitly prescribed by the Draft Data Protection Law are cumulatively fulfilled.

The transfer of personal data from Botswana to another country is prohibited save for transborder transfers to countries that have been designated by the Minister through an Order published in the Government Gazette.

Transborder transfers of personal data require prior authorisation to be granted by the Commissioner so as to assess and ensure that adequate levels of protection are provided by the country receiving the personal data. The assessment is in light of all the circumstances surrounding the data transfer operation and particular consideration is given to:

• the nature of the data;
• the purpose and duration of the proposed processing operation;
• the country of origin and the country of final destination;
• the rule of law, both general and sectoral, in force in the third country in question; and
• the professional rules and security safeguards which are complied with in that country.

Notwithstanding the above, transborder transfers to countries which do not offer an adequate level of protection are allowed where the data subject consents to the proposed transfer or, where the transfer is:

• necessary for the performance of a contract between the data subject and the data controller, or the implementation of pre contractual measures taken in response to the data subject’s request;
• necessary for the performance or conclusion of a contract in the interests of the data subject between the data controller and a third party;
• necessary or legally required for the public interest, or for the establishment, exercise or defence of a legal claim;
• necessary to protect the vital interests of the data subject; or
• made from a register that is intended to provide the public with information and is open to public inspection.

Regardless of the above mentioned restrictions, transborder flow of personal data to a country without adequate levels of protection may be authorised where consent is obtained from the data subject and the data controller provides adequate safeguards which may be by means of appropriate contractual provisions, with respect to the protection of the privacy and fundamental rights and freedoms of individuals.

Currently, personal data may be freely transferred to the following countries:

1. Austria
2. Belgium
3. Bulgaria
4. Croatia
5. Cyprus
6. Czech Republic
7. Denmark
8. Estonia
9. Finland
10. France
11. Germany
12. Greece
13. Hungary
14. Ireland
15. Italy
16. Latvia
17. Lithuania
18. Luxembourg
19. Malta
20. Netherlands
21. Poland
22. Portugal
23. Romania
24. Slovakia
25. Spain
26. Slovenia
27. Sweden
28. Norway
29. Liechtenstein
30. Iceland
31. The United Kingdom
32. New Zealand
33. Israel
34. Japan
35. Isle of Man
36. Guernsey
37. Switzerland
38. Uruguay
39. Republic of Korea
40. Andorra
41. Argentina
42. Foroe Islands
43. Jersey
44. South Africa
45. Kenya

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Prior specific and informed consent is needed for such transfer, unless:

• The transfer is to countries or international organizations with an adequate level of protection of personal data
• There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of
  • Specific contractual clauses for a given transfer
  • Standard contractual clauses
  • Global corporate norms, or
  • Regularly issued stamps, certificates and codes of conduct
• The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
• The transfer is necessary to protect the life or physical safety of the data subject or a third party
• The ANPD has provided authorization
• The transfer is subject to a commitment undertaken through international cooperation
• The transfer is necessary for the execution of a public policy or legal attribution of public service
• The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures

On August 23, 2024, ANPD published Regulation CD/ANPD 19/2024, which provides for the rules for international transfer of personal data, including the ANPD approved form of standard contractual clauses, and the proceeding for approval of specific contractual clauses and binding corporate rules. Said regulation also provides for the criteria that shall be observed by the ANPD for issuing adequacy decisions and for recognizing the equivalence of standard contractual clauses issued by other jurisdictions with the ANPD clauses.

If standard contractual clauses are the elected transfer mechanism within an organization, it is important to note that ANPD clauses must be implemented by August 2025.

On May 05, 2022, ANPD opened a public consultation regarding international transfers regulation. However, such regulation is pending but expected to be published sometime in 2023.

As set out under the General Principle, transfers of personal data by a data controller or a data processor to countries or territories outside the British Virgin Islands are only permitted where that country or territory ensures an adequate level of protection of data protection safeguards in relation to the processing of personal data. This transfer restriction endeavors to ensure that the level of protection provided by the DPA is not circumvented by transferring personal data abroad.

The DPA also includes the following exceptions where the General Principle will not apply to a transfer:

• if the data subject has consented to the transfer (where consent must be freely given, specific, informed, and unambiguous and must be capable of being withdrawn at any time)
• where the transfer is necessary for the performance of a contract between the data subject and the data controller, or the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller
• the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or for the performance of such a contract;
• the transfer is necessary for reasons of substantial public interest
• the transfer is for a lawful purpose directly related to an activity of the data controller, is necessary for, or directly related to, that purpose, and the personal data is adequate but not excessive in relation to that purchase
• the transfer is necessary in order to protect the vital interests of the data subject
• the transfer is necessary for the administration of justice, or
• the transfer is required for the exercise of any functions conferred on a person by law.

At present not a regulated activity.

It is anticipated that under the PDPO, an organization shall not transfer personal data to a country outside Brunei Darussalam except in accordance with requirements prescribed under the PDPO to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPO. It is not anticipated that such requirement prescribed by the PDPO will be as stringent and prescriptive as in other jurisdiction, for example the EU, and it is anticipated that the PDPO will place the onus on organizations to ensure that appropriate measures are taken to protect personal data transferred out of Brunei Darussalam through the imposition of contractual obligations or otherwise.

AITI recommends the adoption of the ASEAN Model Contractual Clauses for Cross Border Data Flows (MCCs) which are templates for contractual terms and conditions which may be included in legal agreements between businesses to ensure personal data is protected when engaging in cross border data transfers between ASEAN Member States. But it remains to be seen if the adoption of the MCCs will be popular as it is envisaged that a fair amount of modification will have to be made to the MCCs so as to be compatible with the purposes of any particular cross-border transaction between organisations.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The appropriate safeguards include among others binding corporate rules and standard contractual clauses. On 4 June 2021 the European Commission adopted new set of standard contractual clauses for transfers outside the EU/EEA. Data controllers and processors have term until 27 December 2022 to renegotiate their existing data processing agreements based on the old set of standard contractual clauses in order to reflect the new clauses adopted by the European Commission.

The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Bulgaria regulation

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data transfer and does not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all EU member states, the provisions of the regulation relating to this matter shall be applied in all cases of data transfer.

The provisions of the Law pertaining to international transfers are broadly drafted. 

According to said provisions, international transfers cannot be made without the respect of the following conditions:

• To request the authorisation of the CNIL;
• To sign with the contracting party, a data confidentiality clause and a data reversibility clause in order to facilitate the complete migration of the data at the end of the contract;
• Implement technical and organisational security measures.

Additionally, the transfer can only be made to a foreign country or an international organisation if the beneficiary country or international organisation ensures an adequate level of protection equal to the one ensured in Burkina Faso (Article 42 of the law). 

As a signatory to the Marrakech Resolution of 22 November 2013, Burkina Faso recognizes the application of the French-speaking RCE, which consist in a code of conduct by which a group of companies defines its internal policy on the transfer of personal data. The RCE are based and designed on the model of the European Commission’s binding corporate rules ('BCR'). 

In practice, the RCE mechanism concerns the authorities of the AFAPDP member countries that have adopted the cooperation protocol and the resolution on the framework for data transfers in the French-speaking area. These concerns at least the following 13 countries: Albania, Andorra, Belgium, Benin, Burkina Faso, France, Gabon, Luxembourg, Mauritius, Morocco, Senegal, Switzerland and Tunisia. 

The RCE cover intra-group transfers of personal data carried out by a company established in an AFAPDP member country, to other companies of the group, whether the latter are located in an AFAPDP member country or not.

No geographic transfer restrictions apply in Burundi. Certain sector specific provisions require companies to obtain consent prior to third party transfers of personal information. Notably, under Article 16 of Law n ° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, "every patient has the right to decide on the use of the medical information concerning him and the conditions under which they may be transmitted to third parties."

There are no existing regulations or provisions on the restriction of the transfer of data, including international transfer, except for licensed banks and financial institutions licensed by the National Bank of Cambodia, which need to follow guidelines under the Technology Risk Management Guidelines. Those guidelines contain provisions that restrict the international transfer of data.

The transfer of personal data to a foreign country or to an international organisation is subject to prior authorisation being obtained from the personal data protection authority under conditions that guarantee the exercise of the data subject's rights.

When issuing such authorisation, the personal data protection authority must first ensure that: 

• the country of destination of the personal data offers an adequate level of protection;
• the prior entry into force of a legal instrument signed with the country of destination of the personal data transferred, in liaison with the competent authorities and bodies;
• the entity requesting the import of personal data is subject to binding security rules for the protection of such data
• the prior subscription, by the importing and exporting entities concerned, of standard contractual clauses relating to the international transfer of personal data, drawn up and published by the personal data protection authority.

When an organization transfers personal information to a third-party service provider (ie, ‎who acts on behalf of the transferring organization -- although Canadian legislation does not use these terms, the transferring organization would be the “controller” in GDPR parlance, and the service provider would be a “processor”), the transferring organization ‎remains accountable for the protection of that personal information and ensuring ‎compliance with the applicable legislation, using contractual or other means. In particular, the transferring organization is ‎responsible for ensuring (again, using contractual or other means) that the third party service provider appropriately safeguards ‎the data and only uses it for the specified purposes, and would also be required under the notice and openness/transparency ‎provisions to reference the use of third-party service providers in and outside of Canada ‎in their privacy policies and procedures.‎

These concepts apply whether the party receiving the personal information is inside or outside Canada. Transferring personal information outside of Canada for storage or processing is generally permitted so long as the requirements discussed above are addressed, and the transferring party notifies individuals that their information may be transferred outside of Canada (or outside of Québec, as applicable) and may be subject to access by foreign governments, courts, law enforcement or regulatory agencies. This notice is typically provided through the transferring party’s privacy policies.

With respect to the use of foreign service providers, PIPA Alberta specifically requires a ‎transferring organization to include the following information in its privacy policies and ‎procedures:‎

• The countries outside Canada in which the collection, use, disclosure or storage is ‎occurring or may occur, and
• The purposes for which the third party service provider outside Canada has been ‎authorized to collect, use or disclose personal information for or on behalf of the ‎organization

Under PIPA Alberta, specific notice must also be provided at the time of collection or ‎transfer of the personal information and must specify:‎

• The way in which the individual may obtain access to written information about the ‎organization’s policies and practices with respect to service providers outside ‎Canada, and
• The name or position name or title of a person who is able to answer on behalf of ‎the organization the individual’s questions about the collection, use, disclosure or ‎storage of personal information by service providers outside Canada for or on ‎behalf of the organization.‎

The Quebec Private Sector Act, as modified by Bill 64, requires all organizations to inform persons that their personal information may be transferred outside of Québec: this is typically done at the time the information is collected. Additionally, before transferring personal information outside of the province of Quebec, organizations must conduct data privacy assessments and enact ‎appropriate ‎contractual safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise) and the applicable privacy regime of the jurisdiction of transfer. Cross-border transfers may only occur if the organization is satisfied that the information would receive an adequate level of protection. Quebec has decided not to implement a system of ‎adequacy decisions, and ‎therefore assessments are required on a case-by-case basis prior to any ‎cross-jurisdiction transfer.

The Data Protection Law stipulates that the international transfer of personal data is only permitted if the recipient country is considered to have adequate level of protection in respect of personal data processing.

The adequate level of protection for foreign countries is defined by the data protection authority.

As a general rule, the transfer of personal data to countries that do not provide for an adequate level of protection of personal data can only be permitted if the data subject has given his consent or in some specific situations, namely if the transfer:

• is necessary for the performance of an agreement between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject’s request

• is necessary for the performance or execution of a contract entered into or to be entered into in the interest of the data subject between the controller and a third party

• is necessary in order to protect the vital interests of the data subject

• is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided the conditions laid down in law for consultation are fulfilled in the particular case.

As set out in the eighth principle, transfers of personal data by a data controller or a data processor to countries or territories outside the Cayman Islands are only permitted where that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.  This is to ensure that the level of protection provided by the DPA is not circumvented by transferring personal data abroad.

The Ombudsman has issued guidance stating that it considers the following countries and territories as ensuring an adequate level of protection:

• member states of the European Economic Area (that is, the European Union plus Lichtenstein, Norway and Iceland) where Regulation EU 2016/679 (the General Data Protection Regulation or "GDPR") is applicable; and
• any country or territory in respect of which an adequacy decision has been adopted by the European Commission pursuant to Article 45(3) GDPR or remains in force pursuant to Article 45(9) of the GDPR.

Other countries and territories may be deemed to have an adequate level of protection depending on various factors, which are to be assessed by a data controller, or a data controller may request authorization from the Ombudsman for a transfer.

The DPA also includes the following exceptions where the eighth principle will not apply to a transfer:

• if the data subject has consented to the transfer (where consent must be freely given, specific, informed and unambiguous and must be capable of being withdrawn at any time);
• where the transfer is necessary for the performance of a contract between the data subject and the data controller, or the taking of steps at the request of the data subject with a view to the data subject's entering into a contract with the data controller;
• the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or for the performance of such a contract;
• the transfer is necessary for reasons of substantial public interest;
• the transfer is necessary for the purposes of legal proceedings, obtaining legal advice or otherwise establishing, exercising or defending legal rights;
• the transfer is necessary in order to protect the vital interests of the data subject;
• the transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer; or
• the transfer is required under international cooperation arrangements between intelligence agencies or between regulatory agencies to combat organized crime, terrorism or drug trafficking or to carry out other cooperative functions, to the extent permitted or required under Cayman Islands law or an order of the Grand Court of the Cayman Islands.

In light of Article 29 of the Act, the data controller cannot transfer personal data to another foreign country non-member of the CEMAC / CEAC  unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of individuals.

Moreover, prior to any transfer of personal data abroad, the data controller must first inform the regulatory authority, ANSICE.

CEMAC is the French acronym of Economic and Monetary Community of Central Africa. CEEAC is the French acronym of the Economic Community of Central Africa States. 

A transfer to a non CEMAC / CEEAC country not offering a sufficient level of protection is possible if: 

• the Data Subject agrees to the transfer;
• the transfer protects the life of the Data Subjects / Holders;
• the transfer Protect the public interest;
• the transfer is necessary to the performance of an agreement between the Data Subject and the Data Processor or take precontractual measures upon the request of the Data Subject;
• If the transfer intervenes from a public register which, according to law and regulations, is focused on the public information and open to the public consultation. 

The ANSICE may allow the Data controller to transfer data to a foreign country non-member of CEMAC / CEEAC if the Data controller provides sufficient protection for the Data Subject’s private life, liberties, and fundamental rights. 

(Articles 30-33 of the Act)

Transfer of personal data is considered a processing activity, so all of the aforementioned rules are applicable, including the requirement to rely on a legal basis (usually consent). The PDPL does not provide or require any special provisions for the international transfer of personal data.

If a data controller wishes to share, disclose or otherwise transfer an individual's personal information to a third party (including group companies), the data controller must:

• if the third party is a separate data controller, inform the data subject of the purposes of the sharing, disclosure or transfer of the personal information the types of data shared, the name and contact information of the recipient, and obtain prior separate consent from the data subject;
• perform a personal information impact assessment (PIIA), and take effective measures to protect the data subjects according to the assessment results (e.g. putting in place a data transfer agreement or similar contractual protections) (see Collection & Processing);
• record accurately and keep the information in relation to the sharing, disclosure or transfer of the personal information, including the date, scale, purpose and basic information of the data recipient of the sharing or assigning;
• ensure personal information is only transferred where required for processing purposes; not share or transfer any personal biometric information or other types of particularly sensitive personal information where prohibited under relevant laws or regulations; and
• ensure contractual measures are entered into to require the data processor to comply or assist the data controller in complying with obligations under data protection laws.

Cross-border transfers

Most personal information can be transferred or accessed outside of the PRC providing the following compliance steps are taken:

• the data controller has completed one of the following mechanisms to legitimize overseas data transfer, unless the transfer is exempted from such requirement — for details please see below:
  • the organisation has passed a CAC security assessment;
  • the organisation has obtained certification from a CAC-accredited agency;
  • the organisation has put in place CAC standard contractual clauses (SCCs) with the data recipient and filed the signed SCCs with the local CAC together with a cross-border transfer specific PIIA report; or
  • for compliance with laws and regulations or other requirements imposed by the CAC;
• the data controller has adopted necessary measures to ensure the data recipient's data processing activities comply with standards comparable to those set out in the PIPL. In practice this means initial due diligence, sufficient contractual protections and ongoing monitoring etc.;
• notice and separate, explicit consent has been given / obtained ( see above) from the data subject (see Collection & Processing); and
• a PIIA has been conducted (see Collection & Processing).

Exempted Transfers

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, the following cross-border data transfers are exempted from having to follow any one of the legitimising mechanisms above ("Exempted Transfers”):

• Collection outside of PRC the personal information being transferred outside of PRC was originally collected and generated outside of PRC and thereafter imported back into PRC, and the processing of such personal information within PRC does not involve any personal information or important data that is collected from or generated in PRC; 
• Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts; 
• Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.); or
• Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances.

Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the organisation must prove that the cross-border data transfer is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal information.

After carving out all the Exempted Transfers, the data controller shall determine the applicable mechanisms to legitimise the rest overseas data transfers as follows: 

CAC security assessment

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, a CAC security assessment is required for data controllers who meet any of the following thresholds:

• an organisation intends to transfer any "important data" overseas;
• a CIIO intends to transfer any personal information overseas;
• a data controller intends to transfer non-sensitive personal information of more than 1,000,000 individuals overseas since 1 January of the year when the calculation is conducted; or
• a data controller intends to transfer sensitive personal information of more than 10,000 individuals overseas since 1 January of the year when the calculation is conducted.

The CAC security assessment involves the organisation completing a self–assessment of its cross-border data transfers, which must then be submitted for approval by both the local and national CAC. It primarily assesses the impact of overseas transfers on national security, public interest, and the legitimate rights and interests of individuals or organisations. If the CAC security assessment is passed, the organisation will be granted with a written approval. Such approval will be valid for 3 years and could be extended for another 3 years upon approval by both the local and national CAC, provided the organisation has made no change to its previously approved cross–border transfers.

For organisations that must follow the CAC security assessment route, a copy of the data must in practice be stored locally in the PRC.

China SCCs

According to the Regulations on Facilitating and Regulating the Cross–border Data Transfers, a China SCCs filing with the CAC is required for data controllers who meet any of the following thresholds:

• a data controller intends to transfer non-sensitive personal information of between 100,000 and 1,000,000 individuals overseas since 1 January of the year when the calculation is conducted; or
• a data controller intends to transfer sensitive personal information of fewer than 10,000 individuals overseas since 1 January of the year when the calculation is conducted.

For PRC data controllers that must follow the China SCCs filing route, they must put in place the China SCCs with the overseas data recipient, and then within 10 working days after the effectiveness of the China SCCs file a copy of the signed SCCs together with the corresponding PIIA with the local CAC. 

The Measures for the Standard Contract for the Outbound Transfer of Personal Information and the Guidelines on the Filing of Standard Contracts for the Outbound Transfer of Personal Information (Second Edition) provide clarification on how the SCCs may be implemented by organisations as one of the mechanisms for overseas data transfer under the PIPL, how to prepare the corresponding PIIA by using the standard template formulated by the CAC and the procedures for filing the signed SCCs and the PIIA report.

CAC certification

The CAC certification route applies to organisations who trigger the same thresholds as the China SCCs, but importantly appears to provide a practical "legitimizing" route for overseas entities (without a presence in China) collecting and processing personal information outside of China, who in practice have to date found it difficult to follow the other routes. The "Draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information" were published for public consultation on 3 January 2025, and set out proposals as to how the certification scheme will be implemented. It will, once implemented, set up a framework for organisations to certify their overseas data transfer processes and procedures. However, there remains some uncertainty as to how it will be enforced in practice against non-China entities.

Organisations within regulated industry sectors may have to follow other compliance steps prescribed by their industry regulator to transfer or remote access their personal information outside of the PRC.

However, certain personal information (and non–personal information) must still remain in (and cannot be accessed outside of) the PRC. This includes (this is not an exhaustive list):

• certain data under industry–specific regulations (such as in the financial services sector and genetic health data); and 
• certain restricted data categories (such as "state secrets", some "important data", geolocation and online mapping data etc.).

Finally, according to the PIPL:

• a publicly–available entity list may be published, listings foreign organisations to whom local PRC organisations may not transfer personal information, where such transfer may harm national security or public interest; data controllers must not provide personal information stored within the PRC to overseas legal or enforcement authorities unless approval is obtained from a designated Chinese authority. It remains unclear whether this extends to, say, requests from overseas industry regulators; and
• the PIPL clarifies that Chinese authorities may provide personal information stored within the PRC to overseas legal or enforcement authorities upon request, if and to the extent that there are international treaties or regulations in place to maintain fairness and for mutual benefit.

Transfer of personal information within the Greater Bay Area

Given the close integration of cities within the Guangdong–Hong Kong–Macao Greater Bay Area (GBA), and that data flows between Hong Kong and other cities within the GBA are becoming increasingly frequent, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) and Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) together formulated the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong– Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SCCs). 

In addition to complying with other general data protection requirements (e.g. notice, consent and impact assessment, etc.) if the data controller and the data recipient are registered in Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing or Hong Kong SAR, they may consider signing the GBA SCCs to legitimize the transfer and file the signed GBA SCCs with the Guangdong CAC and PCPD.

Free Trade Zone rules

The Regulations on Facilitating and Regulating the Cross–border Data Transfers provides that Free Trade Zones (FTZs) have the authority to create their own lists of data, the cross-border transfer of which may require CAC security assessment, China SCCs or CAC certification. 

Within 2024, FTZs in Tianjin, Beijing, Fujian and Shanghai each published its own "positive data list" or "negative data list" and also set out rules for handling cross-border transfers of data falling into or outside of the lists. In general, FTZs have relatively large discretion when implementing the rules, which may make case by case negotiations with the FTZs necessary.

Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, ie, a data controller.

Cross-border data transfers are prohibited unless the country where the data will be transferred to provides at least equivalent data privacy and protection standards and adequate safeguards to those provided by Colombian law. In this regard, adequate levels of data protection will be determined in accordance with the standards set by the SIC. 

This restriction does not apply in the following cases: 

• If the Data Subject expressly consented to the cross-border transfer of data
• Exchange of medical data
• Bank or stock transfers
• Transfers agreed to under international treaties to which the Colombia is a party
• Transfers necessary for the performance of a contract between the Data Subject and the controller, or for the implementation of pre-contractual measures, provided the data owner consented, and
• Transfers legally required in order to safeguard the public interest

Therefore, the data controller requires the authorization of the Data Subject for transferring the personal data abroad, unless such transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels. 

Authorized countries for international transfer of personal data

• Albania
• Argentina
• Austria
• Belgium
• Bulgaria
• Canada
• Costa Rica
• Croatia
• Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungry
• Iceland
• Ireland
• Italy
• Japan
• Latvia
• Lithuania
• Luxembourg
• Malta
• Mexico
• Netherlands
• New Zealand
• Norway
• Perú
• Poland
• Portugal
• Republic of Korea
• Romania
• Serbia
• Slovakia
• Slovenia
• Spain
• Sweden
• Switzerland
• United States
• United Kingdom
• Uruguay

The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers to meets its standard for levels of protection.

Transfer of personal data 

The transfer of personal data takes place when the data controller provides personal data to a data processor, in Colombia or abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s consent is required for the transfer of data, unless an adequate data transfer agreement between the data processor and the data controller is in place. 

In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:

1. The extent and limitations of the data treatment
2. The activities that the data processor will perform on behalf of the data controller, and
3. The obligations the data processor has to data subjects and the data controller 

The data processor has three additional obligations when processing personal data: 

• Process data according to the legal principles established in Colombian law
• Guarantee the safety and security of the databases
• Maintain strict confidentiality of the personal data  

A data controller transferring data to a data processor must identify the data processor in the National Database Register for each database transferred. Finally, the data processor must process the personal data in accordance with the data controller’s privacy policy and the authorization given by the data subject.

The principle in this area is that the transfer of data to a third country is only authorised if that State ensures a level of protection of privacy, freedoms and fundamental rights that is greater than or equivalent to that in force in Côte d'Ivoire (article 26 of Law 2013-450). 

Article 26 also states that prior to any actual transfer of personal data to a third country, the data controller must obtain prior authorisation from ARTCI.

This authorization is required even if the third country is considered to have an adequate level of protection.

The application for authorization must be submitted by a legal entity under Ivorian law (Article 7 of the 2015 Decree).

According to the said Article 7, the authorization application must include several elements, including:

• The identity and address of the data controller and, where applicable, its representative
• The nature of the data involved
• The reason for and purposes of the transfer
• The guarantees of protection, conservation, confidentiality of the data and respect for the rights of the data subjects
• The name of the country hosting the transferred data and the legal framework relating to personal data applicable in that country
• The methods of transmission of the data concerned
• The guarantee of unhindered access to the transferred data by the data subject and by the Ivorian public authorities

According to Article 8 of the Decree, data transfers to third countries are subject to regular monitoring by ARTCI, particularly about their purpose. The ARTCI may set up cooperation mechanisms with the data protection authorities of the main host countries. The data controller must draw up and submit to ARTCI an annual activity report on the transfer of data to third countries.

The transfer of personal information is authorized by the Laws if the data subject provides prior, unequivocal, express and valid written consent to the company that manages the database. Such transfers cannot violate the principles and rights granted in the Laws. Also, there are specific limitations regarding cross-border transfers of personal information.

The transfer of personal information from the person responsible for a database to a service supplier, technological intermediary, or entities in the same economic interest group is not considered a transfer of personal information and thus does not need authorization from the data subject. Also, the transfer of public information (which can be generally accessed) does not need authorization from the data subject.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Croatia regulation

The Act does not contain any special transfer requirements other than those prescribed by the GDPR.

Nothing in the Cuba rules is established concerning transfer.

National Ordinance Personal Data Protection 

Contains no clauses. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Cyprus regulation

With regards to transfer of special categories of personal data, prior to such data being transferred to a third country or an international organization on the basis of appropriate safeguards provided for under Article 46 of the GDPR or on the basis of binding corporate rules under Article 47 of the GDPR, the data controller or the processor needs to inform the Commissioner of its intention in transferring the said data. The Commissioner may impose express restrictions for such transfer.

Similarly, when special categories of personal data are to be transferred to a third country or an international organization on the basis of a derogation for specific situations provided for under Article 49 of the GDPR, an impact assessment is required to be carried out as well as prior consultation with the Commissioner and the Commissioner may, for important reasons of public interest, impose express restrictions for such transfer.

In light of the Schrems II decision, the European Data Protection Board (EDPB) has issued Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, in respect of transfers made under the standard contractual clauses. The Commissioner directs organisations to the EDPB Recommendations 01/2020 and urges them to follow the guidance of the EDPB.

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

The Digital Code distinguishes between the transmission and transfer of personal data.

The transmission of personal data, which refers to the transmission of personal data between persons responsible of transmitting personal data (without these being Data Protection Officers) whether private or public entities, is legal and permitted provided the person whose personal data are being transmitted granted his / her explicit and prior consent.

The transfer of personal data refers to the transfer of data to another country or a data service provider whose servers are located in another country. Such transfer is legal and accepted provided that the third country or international organization where the date will be effectively kept provides a level of security and protection equal or better as the level of security and protection provided by the Digital Code.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available, and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Denmark regulation

The Danish Data Protection Act does not contain any additional regulation in relation to transfer of personal data. Thus, the article of the GDPR applies.

Transfer is considered a form of 'treatment' of personal data under the DPL; hence, the rules apply, including consent requirements. Additional restrictions are provided under the DPL for international data transfers.

Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for the treatment of the personal data.

Personal data may be transferred or communicated to third parties when it is carried out for the fulfillment of purposes directly related to the legitimate functions of the controller and the recipient, when the transfer is configured within one of the grounds of legitimacy and also has the consent of the owner. 

It shall be understood that the consent is informed when for the transfer or communication of personal data the data controller has provided sufficient information to the data subject to enable him/her to know the purpose for which his/her data will be used and the type of activity of the third party to whom it is intended to transfer or communicate such data. 

It will not be considered a transfer or communication in the event that the processor or a third-party accesses personal data for the provision of a service to the controller of personal data. The third party who has legitimately accessed personal data in these considerations shall be considered the processor. 

The treatment of personal data carried out by the processor or by a third party must be regulated by a contract, in which it is clearly and precisely established that the personal data processor or the third party will only process the information in accordance with the instructions of the owner and will not use it for purposes other than those indicated in the contract, nor transfer or communicate it even for storage to other persons. 

The contract between controller and processor must contain provisions specifying at least the following:

• Object
• Duration
• Nature
• Purposes of the processing activities
• Categories of personal data
• Data owners
• Obligations and responsibilities of the processor

Once the contractual performance has been fulfilled, the personal data shall be destroyed or returned to the data controller under the supervision of the Personal Data Protection Authority. 

The processor or third party shall be liable for any infringements arising from non-compliance with the conditions of personal data processing set forth in this Law.

The processor may engage a third party to supplement the provision of a service to the controller of personal data, provided that this is expressly stated in the processing agreement. Otherwise, it shall require the written authorization of the controller for the subcontracting.

Pursuant to Article (14) of the Law, it is prohibited to transfer any personal data that was collected or prepared for processing to a foreign country unless such country grants a level of protection of personal data, that does not fall below what is stipulated in the Law and subject to obtaining a relevant license or permit from the Centre. However, exceptions are made under Article (15) of the Law, if the direct consent of the data subject or his representative is obtained for transferring, sharing, circulating or processing personal data to a country that does not offer the same level of protection in the following cases:

• To protect the data subject’s life and provide them with medical care, treatment, or the administration of medical services.
• To perform obligations in order to prove the existence of a legal right or to exercise or defend such right before the judiciary.
• To conclude or perform an agreement entered into by the person responsible for processing the personal data and third party, which shall be in favor of the concerned data subject.
• To perform a procedure required under an international judicial cooperation.
• There is legal necessity or obligation to protect the public interest.
• To transfer money to another country pursuant to the laws in force of that country.
• If the transfer or circulation is pursuant to a bilateral or multilateral agreement, to which the Arab Republic of Egypt is a party.

In addition, the controller or the processor may, as the case may be, grant access to personal data to another controller or processor outside the Arab Republic of Egypt by virtue of a license from the Centre provided that the following conditions have been met:

• There is conformity between the nature of work of either of the controllers or processors, or unity between the purposes for which they obtain the personal data.
• Either the controllers or processors, or the data subject, have a legitimate interest in the personal data.

The level of legal and technical protection of the personal data offered by the controller or the processor abroad shall not fall below the level of protection provided in the Arab Republic of Egypt.

Transfer is not specifically regulated. However, disperse regulation generally establishes that the owner of personal information must authorise in written the transfer of their data.

Art. 21 is to the effect that: 

• Personal data obtained by the General administration of the state cannot  be communicated or given out unless it is for historic or, statistics of scientific purposes. However, personal data could be communicated between the public administration and other public organs or institutions.
• Private holders of personal data cannot communicate or give out personal data found in their possession unless by a court order instructed by a competent court.
• For the performance of any of the above, the holders of the data have to be notified of the purpose for which their data is to be communicated or given out.  Notwithstanding, consent will not be needed from the owner of the data unless the data was made available to the public, and it is likely to be communicated to other public or private files.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Estonia regulation

The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.

No specific geographic transfer restrictions apply in Ethiopia. 

However, existing law provides that personal data transfers must be based on the prior written consent of the person whose data is to be transferred and only for an intended lawful purpose.

None.

No applicable laws.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Finland regulation

The new Data Protection Act does not include additional clauses concerning transfer of personal data, ie, Finland has decided not to use the marginal national leeway provided in GDPR articles 46 and 49 as per now.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules and standard contractual clauses. Controllers should also comply with additional requirements, following the ECJ’s Schrems II decision, i.e. by carrying out a Transfer Impact Assessment (TIA) and where necessary, implementing supplementary measures (such as those provided by the EDPB Recommendations 01/2020. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

France regulation

In the event processing of personal data involves a transfer of data outside the European Union territory, data subjects must be provided with mandatory information on, inter alia, the data transferred, the purpose of the transfer, the recipients of the data and the transfer mechanism used in accordance with the GDPR.

With respect to transfers made on the basis of Article 49(1)§2 of GDPR ("compelling legitimate interest"), the Decree provides that the CNIL will define templates (including annexes) to be used by data controllers to inform the CNIL about such transfers.

With respect to transfers made on the basis of a code of conduct or other certification mechanism approved by the CNIL in accordance with the Law and the Decree, the Decree provides that data controllers / data processors that rely on such transfer mechanisms shall provide the CNIL with a binding and enforceable commitment to apply appropriate safeguards to data subjects’ rights and freedoms in the concerned third country.

Data transfers to another country are prohibited unless the other country ensures an adequate level of privacy protection and protection of fundamental rights and freedoms of individuals with regard to the processing operation.

The list of countries that comply with this adequate level of protection shall be published by APDPVP (article 171 in fine of the law on personal data). As far as we are aware, this list has not yet been published. However, the Data Protection Law of 2023 in its article 171 does identify the criteria which must be considered by the APDPVP in order to determine adequacy:

• the legal provisions existing in the country in question;
• the security measures enforced;
• the specific circumstances of the processing (such as the purpose and duration thereof); and
• the nature, origin, and destination of the data.

As an alternative to the 'adequacy' criteria, Article 76 of the aforementioned law allows those  data controllers to transfer data if:

• the data subject has consented expressly to its transfer;
• the transfer is necessary to save that person's life;
• the transfer is necessary to safeguard a public interest;
• the transfer is necessary to ensure the right of defence in a court of law; or
• the transfer is necessary for the performance of a contract between the data subject and the data controller, at the request of the data subject, or for the performance of a contract between the data controller and a third party in the interest of the data subject.

Please kindly note that, except in very specific circumstances, the international transfer of non-encrypted personal data for the purpose of investigation in the health sector is not possible, given the sensitivity of the data at stake.

In relation to outsourcing, the Data Protection Law of 2023  does not provide for specific provisions, except:

• the obligations applicable to the relationship with data processors;
• when data processors are located outside the country, the provisions applicable to international data transfers; and
• general security obligations, which vary depending on the nature of the data at stake (Articles 168 et seq. of the aforementioned law).

No references are included to specific concerns regarding, for example, outsourcing to the cloud or to data centres.

The transfer of data to another state and international organization is allowed if the requirements for data processing provided for by the Data Protection Law and appropriate safeguards in the relevant state or international organization are in place for ensuring data protection and the protection of data subjects’ rights. 

The existence of adequate safeguards for data protection in another state and / or international organization is assessed by the Personal Data Protection Service on the basis of international obligations and regulatory legislation relating to data protection, guarantees for the protection of the rights and freedoms of data subjects (including effective legal protection mechanisms), rules for further international data transfer, and the analysis of the existence, powers and activities of an independent data protection supervisory body.

A list of states and international organizations in which adequate data protection guarantees are ensured is determined by a normative act of the head of the Personal Data Protection Service and is reviewed at least once every 3 years. If a state and / or international organization no longer meets the conditions provided for above, appropriate changes is made in the said list, which does not have retroactive force.

As of January 2025, the list of the acknowledged countries is as follows:

In addition to the event when country is recognized in the list as per conditions elucidated above, the transfer of data to another state and international organization shall be also allowed if:

1. the transfer of data is envisaged by an international treaty and the agreements of Georgia;
2. a controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organization;
3. the transfer of data is stipulated by the Criminal Procedure Code of Georgia (for the purpose of carrying out investigative action), the Law of Georgia On the Legal Status of Aliens and Stateless Persons, the Law of Georgia On International Cooperation in Criminal Matters, the Law of Georgia On International Cooperation in Law Enforcement, and a normative act adopted on the basis of the Organic Law of Georgia On the National Bank of Georgia or the Law of Georgia On Facilitating the Prevention of Money Laundering and the Financing of Terrorism;
4. a data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant state and on possible threats;
5. the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable to give consent to such data processing;
6. there is a lawful public interest (including for the purposes of crime prevention, investigation, identification and criminal prosecution, the execution of a sentence and carrying out operative and investigation actions) and the transfer of data is a necessary and proportionate measure in a democratic society.

On the basis of letter “b” (agreement between controller and processor) data transfer is allowed only after obtaining a permit from the Personal Data Protection Service, and the procedure for issuing such permit is established by a normative act of the head of the Personal Data Protection Service. Also, the respective agreement on data transfer must provide that the provisions therein are legally binding.

In the case of data transfer on any of the grounds stipulated in all above letters, a controller / processor is obliged to take necessary organizational and technical measures to safeguard such data transfer.

Data transferred to another state or international organization may be further transferred to a third party only if such data transfer serves the initial purpose of data transfer and meets the basis for data transfer and guarantees adequate safeguards for data protection as provided for right above.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on the condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Germany regulation

The transfer of personal data to a third country or to supranational or intergovernmental bodies or international organisations in the context of activities not falling within the scope of the GDPR or the Law Enforcement Directive (EU) 2016/680 are also permitted if they are necessary for the performance of own tasks for imperative reasons of defence or for the performance of supranational or intergovernmental obligations of a federal public body in the field of crisis management or conflict prevention or for humanitarian measures.

There are no specific provisions in the Act on the transfer of personal data. However, the sale and purchase of personal data or information is prohibited. Additionally, a person is prohibited from knowingly obtaining or knowingly or recklessly disclosing the personal data or the information contained in the personal data of another person.

A person who sells or offers to sell the personal data of another person commits an offence and is liable on summary conviction to a fine of not more than 2500 penalty units or to a term of imprisonment of not more than five years or to both.

A person who purchases, knowingly obtains, or knowingly or recklessly discloses personal data is liable on summary conviction to a fine of not more than 250 penalty units or to a term of imprisonment of not more than 2 years or to both.

A penalty unit is equivalent to GHS12 (approximately USD11.6 as at 22 December 2023).

Transfers from Gibraltar

Transfers of personal data by a controller or a processor to third countries outside of Gibraltar are only permitted where the conditions laid down in Chapter V of the Gibraltar GDPR are met (Article 44).

Article45(1) allows transfers of personal data to:

• third countries on the basis of UK adequacy regulations made  under  UK GDPR and Part 2 of the UK Data Protection Act 2018; and
• to the United Kingdom.

Currently, the following countries or territories enjoy UK adequacy decisions (these have all essentially been ‘rolled over’, on a temporary basis, from the EU GDPR with some additions): Andorra, Argentina, Canada and Japan (with some exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, South Korea and New Zealand. Also included are transfers to the USA, if covered under the UK extension to the EU-US Data Privacy Framework.

The UK is also currently treating all EU and EEA Member States as adequate jurisdictions.  Therefore transfers to any of the above  jurisdictions from Gibraltar will not require any additional safeguards Gibraltar GDPR.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available (Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and the use of standard contractual clauses with additional safeguards to guarantee an essentially equivalent level of protection to data subject’s and their personal data.

Section 128A of the DPA04 allows Gibraltar’s Information Commissioner to publish standard data protection clauses which comply with Article 46 requirements. To date, a bespoke International Data Transfer Agreement (“IDTA”) has been published for data exports from Gibraltar in addition to an International Data Transfer Addendum  (“Addendum”). Both the IDTA and Addendum can be used. Whereas the IDTA is a full-form standalone agreement, the Addendum is to be used along-side the EU Standard Contractual Clauses for use in the context of the Gibraltar GDPR.

Article 49 of the UK GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

• explicit informed consent has been obtained;
• the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between
• the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
• the transfer is made from a register which according to domestic law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to Gibraltar’s Information Commissioner and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside Gibraltar t(Article 48) are only recognised or enforceable (within Gibraltar) where they are based on an international agreement which applies to Gibraltar such as a mutual legal assistance treaty in force between the requesting third country and Gibraltar ; a transfer in response to such requests where there is no other legal basis for transfer will infringe the Gibraltar GDPR.

Transfers from the UK to Gibraltar

Gibraltar and the UK enjoy the free flow of personal data without the need for any additional safeguards.

ibraltar is now a third country for the purposes of Chapter V of the EU GDPR. Unlike the UK, Gibraltar does not currently benefit from an EU adequacy decision. It is expected that Gibraltar will obtain EU adequacy with the conclusion of the UK-EU treaty on Gibraltar. Until then, alternative EU GDPR Chapter V safeguards are required to transfer personal data from the EU to Gibraltar.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and  standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Greece regulation

Τhe Greek Data Protection Law does not provide for any additional rules on cross-border data transfers.

Transfer of Personal Data is not regulated, however, Art. 31 of the Law on Access to Public Information establishes that written consent is necessary for any type of information transfer and bans expressly the commercialisation of sensitive data and sensitive personal data.

The DPL 2017 differentiates between authorised jurisdictions and unauthorised jurisdictions.

Authorised jurisdictions include:

• the Bailiwick of Guernsey;
• a member state of the European Union;
• any country, sector or international organisation which has been determined by the European Commission as providing an 'adequate level of protection' for the rights and freedoms of data subjects; or
• any designated jurisdiction. 

A designated jurisdiction includes the UK (or any country within the UK), any Crown Dependency (such as the Channel Islands or Isle of Man) or any sector within the UK or a Crown Dependency.

Unauthorised jurisdictions means any countries, sectors in a country or international organisation that does not fall within the scope of an 'authorised jurisdiction'.   

Personal data must not be transferred outside of the Bailiwick of Guernsey by a controller or processor ("Exporter") to an unauthorised jurisdiction unless the Exporter is satisfied that:

• particular 'safeguards' are in place and there is a mechanism for data subjects to enforce their rights and obtain effective legal remedies against a controller or processor receiving the personal data ("Importer") (section 56 DPL 2017);
• the Authority or the ODPA has authorised the transfer (section 57 DPL 2017); or
• other specified derogations exist (section 59 DPL 2017).

'Safeguards' for the purposes of paragraph (a) above include: legally enforceable agreements (where the Importer is a public authority / body), binding corporate rules, EU's Model Clauses (or equivalent provisions as may from time to time be in force) or approved codes or other approved mechanisms which combine binding and enforceable commitments on the Importer. 

'Derogations' include:

• the data subject has given explicit consent to the transfer after having been informed of the risks of the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the controller or between the controller and third party in the interests of the data subject or for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller;
• the transfer is authorised by regulations made for reasons of public interest;
• the transfer is necessary for, or in connection with, legal proceedings, obtaining legal advice or for the purposes of establishing, exercising or defending legal rights;
• the transfer is necessary to protect the vital interests of the data subject or another individual (provided that the data subject is physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain explicit consent);
• the transfer is part of personal data on a public register or a register to which a member of the public has lawful access;
• a decision of a public authority (within or without the Bailiwick) based on international agreement imposing international obligations on the Bailiwick or an order of a court or tribunal;
• the transfer is in the legitimate interests of the controller which outweighs the significant interests of the data subject and:
  • the transfer is not repetitive;
  • the transfer only concerns a limited number of data subjects;
  • the controller has assessed all circumstances surrounding the data transfer and on the basis of that assessment considers that appropriate safeguards to protect personal data have been provided.

Where the transfer is justified on the legitimate interests grounds described above, both the ODPA and the data subject must be notified accordingly. 

Guernsey  

In common with the GDPR, The DPL 2017 places restrictions on the extent to which personal data may be transferred to recipients outside the Bailiwick of Guernsey ("Guernsey").

As set out above, in the absence of an adequacy decision by the EC, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to "appropriate safeguards". The Law replicates this regime for transfers outside Guernsey.

Appropriate safeguards for such transfers include:

• Binding corporate rules ("BCRs");
• Standard data protection contractual clauses adopted by the European Commission ("SCCs").

SCCs are generally the most commonly utilised mechanism for such transfers.

In June 2021, the EC approved a new set of SCCs for international data transfers.¹

The Guernsey data protection regulator, the ODPA, has now approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey (The European Commission’s new Standard Contractual Clauses - technical update  ODPA).

The new SCCs for international transfers reflect the changes made to European data protection law made by the GDPR and address some of the issues with the existing sets of SCCs (which include two controller to controller (“C2C”)  sets (2001 and 2004) and a controller to processor (“C2P”) set (2010).  The new SCCs (unlike the existing ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor ("P2P") and processor-to-controller ("P2C").

The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to "build" the relevant agreement on a modular basis.

The new SCCs also incorporate provisions to address the Schrems II decision of the European Court of Justice, the key effect of which was to invalidate the EU-U.S. Privacy Shield and to place additional administrative conditions on the use of SCCs.

While a transition period allows businesses to incorporate the old SCCs into new contracts until, at the latest, 27 September 2021, any Guernsey business looking to export personal data relying on SCCs will after that date need to use the new SCCs which provide for these further steps are taken. All existing contracts must be transitioned to the new SCCs by 27 December 2022.

Where controllers and processors are utilising SCCs (either new or old) or BCRs, they will need also to take account of the Schrems II decision. The European Data Protection Board ("EDPB") has published its Schrems II guidance in relation to supplementary measures to accompany international transfer tools. In summary, a 6 step process is required in relation to international transfers.  

1. Know your transfers. Be aware of where the personal data so you know the level of protection provided there. Make sure the data you transfer is adequate, relevant and limited to what is.
2. Verify the transfer tool your transfer relies on. Using the SCCs or BCRs will be enough in this regard.
3. Assess if there is anything in the law and / or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
4. Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third party country's safeguards. If no supplementary measure is suitable, you must avoid, suspend or terminate the transfer.
5. Take any formal procedural steps the adoption of your supplementary measure may require.
6. Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.

In practice, the above requires a detailed and documented transfer impact assessment ("TIA"). For many Guernsey controllers and processors, this will be an onerous process and we would suggest that it should be something that Guernsey businesses should prioritise.  We are able to assist clients in this process.

Transfers between Guernsey and the USA

The replacement of the Privacy Shield transfer scheme (invalidated by Schrems II) by the EU-US Privacy Data Privacy Framework means that Guernsey controllers and processors are in principle able to utilise the new Framework for data transfers. However, the US Department of Commerce is yet to extend the scope of the Framework to cover Guernsey and accordingly it is recommended that Guernsey controllers and processors continue to utilise standard contractual clauses in respect of transfers between Guernsey and the US.

What about the UK?

The European Commission has now recognised the UK as an adequate jurisdiction for the purposes of international data transfer and the UK has in turn recognised Guernsey as an adequate jurisdiction for the purposes of the UK GDPR meaning that transfers to and from the UK and Guernsey may continue without restriction.

Guernsey controllers and processors who are subject to the UK GDPR by virtue of its extra territoriality provisions will also need to consider whether they may need to continue using the existing standard contractual clauses or the UK International Data Transfer Agreement.

The data controller may be authorised to transfer such data to a third country only if the State ensures a higher or equivalent level of protection of the privacy, fundamental rights and freedoms of individuals with regard to the processing to which such data is or may be subject.

Before any effective transfer of personal data to the third country, the data controller must obtain prior authorisation from the personal data protection authority. Any transfer of personal data to a third country is subject to strict and regular control by the personal data protection authority, in the light of its purpose. 

If personal data is communicated to a third party, it has to be accessible with the possibility to be modified by the person on which they have been stored.

Individuals and / or companies may not transfer, commercialize, sell, distribute or provide access to personal data contained in databases developed in the course of their job, except with the express and direct written consent of the person to whom that data refers, subject to certain exceptions.

Data users may not transfer personal data to third parties (including affiliates) unless the data subject has been informed of the following on or before their personal data was collected:

• that their personal data may be transferred; and
• the classes of persons to whom the data may be transferred.

There are currently no restrictions on transfer of personal data outside of Hong Kong, as the cross‑border transfer restrictions set out in section 33 of the Ordinance were held back and have not yet come into force. A proposal to implement section 33 (perhaps with amendments) was put forward to the Hong Kong Government in 2015, but this process has been delayed. Notably, however, these were not included in the January 2020 Consultation Paper or mentioned in the PCPD’s Report issued in February 2023 or the Panel Meeting Summary published in February 2024. If these restrictions come into force as currently drafted, they will have a significant impact upon outsourcing arrangements, intragroup data sharing arrangements, compliance with overseas reporting obligations and other activities that involve cross-border data transfer.

Nevertheless, non‑binding best practice guidance published by the PCPD encourages compliance with the cross‑border transfer restrictions in section 33 of the Ordinance, which prohibit the transfer of personal data to a place outside Hong Kong unless certain conditions are met (including a white list of jurisdictions; separate and voluntary consent obtained from the data subject; and an enforceable data transfer agreement for which the PCPD provides suggested model clauses). In practice, most data users will enter into data transfer agreements by putting in place the recommended model contractual clauses for cross‑border transfer of personal data published by the PCPD (RMCs) with the overseas recipient prior to conducting any overseas transfer activities.

On 13 December 2023, the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (GBA) (GBA Standard Contract) and the implementation guidelines were announced to promote the safe and orderly cross-boundary flow of personal data within the GBA. Adoption of GBA Standard Contract is on a voluntary basis. The PCPD published guidance in December 2023 to help organizations in Hong Kong understand the applicability of the GBA Standard Contract and its relationship with the RMCs. While this initially was focused at certain key industries, from November 2024 onwards, the GBA Standard Contract was extended to all sectors.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses and derogations. On 16 July 2020 the Court of Justice of the European Union (CJEU) in its Schrems II decision invalidated the EU-US Privacy Shield Framework, and created new obligations, notably for businesses transferring personal data pursuant to standard contractual clauses. On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The new adequacy decision allows personal data to flow from the European Economic Area to DPF-certified US companies without the need for additional data protection safeguards.

The CJEU in its Schrems II decision affirmed that the protections of EU law for personal data must follow the data when transferred outside the EU; the protection provided in the destination country must be essentially equivalent to EU laws. The CJEU specifically tasked data exporters with assessing transfers on a case-by-case basis and putting into place supplementary measures (technical, organizational and / or contractual measures) whenever necessary to ensure essentially equivalent protection.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

• explicit informed consent has been obtained;
• the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defense of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
• the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Data Privacy Framework, replacing the Privacy Shield Framework, which was invalidated in July 2020 by the CJEU in case no.C-311/18 (Schrems II). The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Iceland regulation

Article 16 of the DPA implements the provisions of GDPR on the transfer of personal data to third countries and international organisations into Icelandic national legislation. The same restrictions therefore apply as under the GDPR. Furthermore advertisement no. 1155/2022 prescribes for the transfer of personal data to countries which have received an adequacy status from the European Commission.

Under the DPDP Act, transfer of personal data for the purpose of processing is permitted to any country or territory outside India, except to countries which have been specifically blacklisted by the Government of India. The list of countries to which cross-border data transfers are not permitted will be notified by the Government of India. Further, Data Fiduciaries may transfer personal data to another Data Fiduciary or Data Processor only under a valid contract.

The Draft Rules state that the transfer of personal data by a Date Fiduciary (whether within or outside India) may be subject to restrictions or requirements that the Central Government may specify in respect of making such data available to a foreign State.

While the DPDP Act does not provide any guidelines or requirements with respect to the contract regulating the data transfer, such data transfer agreements may contain adequate indemnity provisions for a third-party breach and may specify a mode of transfer that is adequately secured and safe. Additionally, the DPDP Act provides for certain indirect obligations on Data Processors which may be incorporated in the data transfer agreements. These include:

• implementing reasonable security safeguards to prevent personal data breach;
• reporting of personal data breaches to the Data Fiduciary;
• erasing personal data upon receiving a communication to that effect by the Data Fiduciary; and
• restricting transfer of personal data to countries which have been blacklisted by the Government of India.

Data Localisation

While the DPDP Act itself does not provide for data localisation requirements, it recognizes that other sector-specific statutes and regulations may have restrictions on storing certain classes of data, which may include personal data.

As an aside, the Draft Rules do require Significant Data Fiduciaries to undertake measures to ensure that personal data specified by the Central Government is processed in a manner such that the personal data and the traffic data pertaining to its flow is not transferred outside India. However there is no clarity on what types of personal data will be required to be localised yet.

India’s central bank, the Reserve Bank of India (RBI) has made it mandatory from October 15, 2018, for all payment system providers and their service providers, intermediaries, third party vendors and other entities in the payment ecosystem to ensure that all data relating to payment systems operated by them are stored in a system only in India. Interestingly, by virtue of this regulation, RBI is seeking storage of all payment system data in India, which includes the entire payment processing cycle from request to final payout, such as customer data (name, mobile number, Aadhaar number, PAN number, etc.), payment sensitive data (customer and beneficiary account details), payment credentials (OTP, PIN, passwords, etc.), and transaction data (originating and destination information, transaction reference, timestamp, amount, etc.). However, for cross border transactions which consist of both foreign and domestic components, data pertaining to the foreign leg may be stored outside India. While data pertaining to the domestic leg should be stored in India, a copy may be stored abroad. 

The Securities Exchange Board of India (SEBI) has issued an advisory for financial sector organizations such as merchant bankers, credit rating agencies, STP service providers, debenture trustee, depositary participants and other financial institutions which are availing the Software as a Service (SaaS) based solution for managing their governance, risk and compliance functions. This advisory also lists certain critical data sets such as credit and liquidity risk data, market risk data, system and sub-system information, supplier information, system configuration data, audit / internal audit data, network topography and design, which must be stored in India. More recently, the SEBI has issued a Framework for Adoption of Cloud Services by regulated entities. If the regulated entities are engaging cloud service providers to conduct their business functions and any data pertaining to the regulated entities is on the cloud in any form, it is required to be stored within the legal boundaries of India. However, if the regulated entity has a foreign parent entity, the original data is required to be available and readily accessible in India. This implies that a copy of such data which is on the cloud may be stored abroad.

Separately, the Insurance Regulatory and Department Authority of India (Maintenance of Insurance Records) Regulations, 2015, require insurance providers to store data related to policies and claim records of insurers on systems in India (even if this data is held in an electronic form).

Additionally, while Section 128 of the Companies Act, 2013, requires every company to prepare and store, at its registered office, books of account, other relevant books and papers and financial statements for every financial year, on August 5, 2022, the Ministry of Corporate Affairs amended this rule whereby all such relevant books and papers maintained in an electronic mode are required to remain accessible in India, at all times.

Further, the Indian Computer Emergency Response Team (Cert-In), issued directions on information security practices, procedure, prevention, response and reporting of cyber incidents (Cyber Security Directions) dated April 28, 2022 (in force since June 28, 2022), and the frequently asked questions released on the Cyber Security Directions, require service providers offering services to users in the country to enable and maintain logs and records of financial transactions within India.

Cross border transfers

Transfers of personal data, including transfers outside of the territory of the Republic of Indonesia would principally require an underlying basis. Cross border transfers are principally permitted provided that the transferring data controller is able to ensure the following:

• that the country of domicile of the data controller or data processor that will receive the transfer of personal data has an equal or higher level of personal data protection than afforded under the PDP Law ("Adequacy of Protection");
• in the absence of Adequacy of Protection, an adequate level of binding personal data protection shall be available ("Appropriate Safeguards");
• if neither Adequacy of Protection nor Appropriate Safeguards are present, (prior) consent shall be obtained from the data subject.

Further terms in connection hereof are intended to be set out in a government regulation, which is yet to be issued at the time of writing.

The current Draft Implementing Regulation to PDP Law (version of August 31st, 2023) suggests that such Adequacy of Protection assessment will be made by the PDP Agency (which as of the date of writing is yet to be formed and operating), whom consequently may issue a list of such countries that have equal / higher level of personal data protection.

The cross border transfer reporting obligation to the relevant authority that is regulated under the General Data Protection Regulations is viewed to be conflicting with the PDP Law and no longer necessary since the PDP Law is in full force.

The Charter of Citizen’s Rights prohibits personal data transfers without express data subject consent. 

Under the ECL, third party and extraterritorial data transfers are subject to: 

• data subject consent
• assurance that adequate security levels are in place to protect personal data in accordance with data subject rights and freedoms

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on the condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others: binding corporate rules,  standard contractual clauses and the EU-US Privacy Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Ireland regulation

Section 37 of the DP Act provides the Minister for Justice and Equality with the power to make regulations restricting the transfer of categories of personal data to a third country or an international organisation for important reasons of public policy.

The transfer of Personal Data abroad is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 ("Transfer Regs"), pursuant to which Personal Data may be transferred abroad only to the extent that:

• the laws of the country to which the data is transferred ensure a level of protection, no lesser than the level of protection of data provided for by Israeli Law; or
• one of the following conditions is met:
  • the data subject has consented to the transfer;
  • the consent of the data subject cannot be obtained and the transfer is vital to the protection of his or her health or physical wellbeing;
  • the data is transferred to a corporation under the control of the owner of the database from which the data is transferred, provided that such corporation has guaranteed the protection of privacy after the transfer;
  • the data is transferred to an entity bound by an agreement with the database owner, to comply with the conditions governing the use of the data as applicable under Israeli Laws, mutatis mutandis;
  • data was made available to the public or was opened for public inspection by legal authority;
  • transfer of data is vital to public safety or security;
  • the transfer of data is required by Israeli Law; or
  • data is transferred to a database in a country:
    • which is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data; or
    • which receives data from Member States of the European Community, under the same terms of acceptance¹; or
    • in relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette (Reshumot), that it has an authority for the protection of privacy, after reaching an arrangement for cooperation with that authority.

When transferring personal data abroad, the database owner is required to enter into a data transfer agreement with the data recipient, pursuant to which the recipient undertakes to apply adequate measures to ensure the privacy of the data subjects and guarantees that the data shall not be further transferred to any third party.

The foregoing data transfer agreement must also comply with additional restrictions, to the extent that the recipient provides outsourcing services, as set forth in the Outsourcing Guidelines.

On January 31, 2011, the European Commission, on the basis of Article 25(6) of directive 95/46/EC, determined that the State of Israel ensures an adequate level of protection with regard to automated processing of personal data.

On 15 January 2024 the EU Commission has issued a “Report from the Commission to the European Parliament and the Council on the First Review of the Functioning of the Adequacy Decisions Adopted Pursuant to Article 25(6) Of Directive 95/46/EC”, in which it was announced that Israel’s adequacy status from January 31, 2011, had been renewed.

Additionally, the transfer of databases is subject to the IPA Draft Guidelines No. 3/2017, which under certain circumstances, such as database recipient having a conflict of interest, might require opt-in consents of data subjects as a condition to transferring databases.

---

On January 4, 2022, the IPA published a Draft Guideline: Interpretation of Section 3 of Transfer Regs, clarifying the prohibition on onward transfer of Personal Data by a data recipient stipulating that where the following applies, such onward transfer may be permitted: (i) written consent of the database owner; (ii) the transfer of the information to a third party is performed lawfully, that is, based on the consent of the data subjects or is required by law; and (iii) If the information was transferred directly from Israel to such third party, such transfer itself would comply with the conditions set forth above.

On November 29, 2022, the Ministry of Justice published for public comments draft regulations on data transferred from the EEA to Israel which include additional data subject rights such as: right to be forgotten and restrictions on data retention, as part of Israel's deference to maintain its adequacy level of protection received from the EU. Timing of the regulations entering into force is dependent on the new government being formed.

On May 7, 2023, the Israeli Ministry of Justice published Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023, which establish obligations (such as: obligation to delete Personal Data, limit the retention of Personal Data that is not necessary, accuracy and notification obligations) that will apply to Personal Data transferred to Israel from the European Economic Area (EU, Iceland, Norway and Liechtenstein). Furthermore, information regarding a person's origin and information regarding membership in a labor organization will be considered Sensitive Data.

On September 14, 2023, the IPA published Manual: Contracting with Outsourcing Providers – Section 15 to the Data Security Regs, which clarifies the manner in which companies shall contract with their outsourcing providers. The manual specifies issues to be included in the binding agreement between the company and the outsourcing provider, and it includes two appendices for use by the parties: an auxiliary questionnaire for checking the information security aspects of the outsourcing provider, and a proposed questionnaire to determine the method of performing the periodic control of the outsourcing provider.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

On July 10, 2023, the EU Commission adopted an adequacy decision pursuant to art. 45 of the GDPR. In its adequacy decision, the Commission has carefully assessed the requirements that follow from the EU-U.S. Data Privacy Framework ("DPF") and has decided that the United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU - U.S. Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

• explicit informed consent has been obtained;
• the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
• the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

On this aspect, the EDPB issued Guidelines 02/2024 on Article 48 GDPR according to which the key principle of Article 48 is that judgments or decisions from authorities in non-EU countries cannot automatically or directly be recognized or enforced within EU Member States. Therefore, in the absence of an international agreement, or if the agreement does not provide for a legal basis under Article 6(1)(c) or 6(1)(e), other legal bases could be considered. Similarly, if there is no international agreement or the agreement does not provide for appropriate safeguards under Article 46(2)(a), other grounds for transfer could apply.

---

Italy regulation

The Privacy Code does not derogate from the GDPR in regard to transfers.

Disclosing / Sharing Personal Information

Currently, Personal Data (meaning Personal Information stored in a database) may not be disclosed to a third party without the prior consent of the individual, unless the business operator handling the Personal Information adopts the opt-out method, provides an advance notice of joint use to data subjects, in the case of merger / business transfer or entrusting the handling of Personal Information to third party service providers.

Even disclosing the Personal Information within group companies is considered disclosing the Personal Information to a third party and consent must be obtained, unless it meets the requirements of joint use. The APPI also has permitted the "opt out" method, whereby a business operator can as a default disclose Personal Information to third parties, unless individuals opt out of allowing the business operator to do so. The Amended APPI stipulates that Personal Information that has been transferred from others through the opt out measure or that has obtained by illegal manners, and Sensitive Personal Information cannot be transferred through the opt out measure. The APPI requires a business operator to preemptively disclose to the PPC, and the public or to the data subject of certain items listed below concerning opt out.

• the name, address and representative person of the business operator;

• the fact that the purpose of use includes the provision of such information to third parties;

• the nature of the Personal Information being provided to third parties;

• the method by which Personal Information has been obtained;

• the method by which Personal Information will be provided to third parties;

• the matter that provision of such information to third parties will be stopped upon the request by the data subject;

• the method for an individual to submit an opt out request to the business operator;

• the method to update Personal Information which has been provided to their parties; and

• the schedule date of provision of Personal Information.

The APPI does not provide any examples of how best to obtain consent from individuals before sharing Personal Information. Generally, written consent should be obtained whenever possible. When obtaining consents, it would be prudent to clearly disclose to the data subject the identity of the third party to whom the Personal Information will be disclosed, the contents of the Personal Information and how the third party will use the provided Personal Information.

The guidelines issued by the PPC provide the following examples as appropriate methods of obtaining the consent for disclosing Personal Information from the data subject:

• receipt of confirmation of the oral or written consent (including a record created by electronically or magnetically methods or any other method not recognizable to human senses) from data subject;
• receipt of a consent email from data subjects;
• the data subject's check of the confirmation box concerning the consent;
• the data subject's click of a button on the website concerning the consent; and
• the data subject's audio input, or touch of a touch panel concerning the consents.

If Personal Information is to be used jointly, the business operator could, prior to the joint use, notify the data subjects of or publish the following:

• the fact that the Personal Information will be used jointly;
• the item of the Personal Information to be disclosed;
• the scope of the joint users;
• the purpose for which the Personal Information will be used by them; and
• the name, address and representative person of the business operator responsible for the management of the Personal Information.

Transfer of Personally Referable Information

The Amended APPI stipulates that prior consent from data subjects is necessary if Personally Referable Information is transferred to a third party and the receiving party can identify a specific individual by way of referencing such Personally Referable Information with any information that the receiving party already has in its possession. In general, such consents are to be obtained by the receiving party and therefore, the transferor needs to, in advance to transferring Personally Referable Information to a third party, confirm if the receiving party has already obtained consents. That being said, it is possible that the transferor collects data subjects’ consents on behalf of the receiving party.

Cross-border Transfer

Under the APPI, in addition to the general requirements for third party transfer, prior consent of data subjects specifying the receiving country is required for transfers to third parties in foreign countries unless the foreign country is white-listed under the enforcement rules of the APPI or the third party receiving Personal Information has established similarly adequate standards for privacy protection as specified in the enforcement rules of the APPI. Currently, UK and EU countries are specified as white-listed countries based on the adequacy decision on January 23, 2019.

According to the enforcement rules of the APPI, "similarly adequate standards" means that the practices of the business operator handling the Personal Information are at least equal with the requirements for protection of Personal Information under the APPI or that the business operator has obtained recognition based on international frameworks concerning the handling of Personal Information.

According to the guidelines for offshore transfer, one of the examples of an acceptable international framework is the APEC CBPR system. With regard to data subject's consents to transfer their Personal Information to foreign countries, the Amended APPI stipulates that the business operator shall provide the following information to the data subject when obtaining consents therefrom: (i) name of the country where the receiving party resides, (ii) data protection law system in the country and (iii) the  data protection measures that the receiving party implements. In addition, the business operator needs to take necessary measures to ensure that the receiving party of such Personal Information continuously takes proper measures to process the Personal Information in a manners equivalent to the requirements of the APPI.

The DPJL (Article 67) provides that data controllers and processors may only transfer personal data out of the European Economic Area if one of the following conditions are met:

• The transfer is to a jurisdiction which has been held by the European Commission to provide an adequate level of protection for personal data.
• The transfer is made subject to ‘appropriate safeguards’ (Article 68 DPJL), which may include:
  • A legally binding and enforceable instrument between public authorities
  • Binding corporate rules approved by Jersey's Information Commissioner or another competent supervisory authority under the GDPR (or equivalent statutory provisions), or
  • Standard data protection clauses adopted by the Authority or by a competent supervisory authority and approved by the European Commission. It should be noted that the EDPB approved a new set of standard contractual clauses in June 2021, which have now been approved for use in Jersey (subject to also using a Jersey law addendum).  It should be noted that the UK International Data Transfer Agreement has not yet been approved for use in Jersey.
• An exemption applies, the most commonly utilized of which are as follows:
  • The transfer is specifically required by a Jersey court
  • The data subject explicitly consents
  • The transfer is necessary for the performance of a contract to which the data subject is party or the implementation of pre-contractual measures taken at the data subject’s request
  • The transfer is necessary to carry out a contract between the data controller and a third party if the contract serves the data subject’s interests
  • The transfer:
    • Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)
    • Is necessary for the purpose of obtaining legal advice, or
    • Is otherwise necessary for the purposes of establishing, exercising or defending legal rights
  • The transfer protects the data subject’s vital interests where:
    • The data subject is physically or legally incapable of giving consent
    • The data subject has unreasonably withheld consent, or
    • The controller or processor cannot reasonably be expected to obtain the explicit consent of the data subject

Transfers post Schrems II

The burden on Jersey controllers and processors of transferring personal data to unauthorised jurisdictions has increased following the CJEU's Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties ("Schrems II").

Following Schrems II, where Standard Contractual Clauses ("SCCs") are used, controllers (and where applicable processors) must ensure that they have considered their transfers and taken any steps appropriate to ensure that they are lawful.

However, the guidance does not provide any assistance as to what steps need to be taken in order to ensure that the chosen safeguards are appropriate. The required approach has since been clarified by the European Data Protection Board which published Recommendations 01/2020 in June 2021 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (see below). There is also local Jersey guidance which broadly tracks (and cross refers to) the EDPB guidance.

The emphasis is on controllers / processors to satisfy themselves that the transfers to unauthorised jurisdictions are properly assessed (taking into account the law and practice of the recipient jurisdiction) and, as appropriate, put in place supplementary measures.

CJEU jurisprudence is not binding in Jersey, as Jersey is not an EU member state. However, it is likely to be persuasive (as is the EDPB guidance noted above).

The EDPB guidance referenced above recommends a 6 step process in relation to international transfers.

1. Know your transfers. Be aware of where the personal data so you know the level of protection provided there. Make sure the data you transfer is adequate, relevant and limited to what is necessary.
2. Verify the transfer tool your transfer relies on.
3. Assess if there is anything in the law and / or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
4. Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third party country's safeguards. If no supplementary measure is suitable, the exporter must avoid, suspend or terminate the transfer.
5. Take any formal procedural steps the adoption of your supplementary measure may require.
6. Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.

In practice, the above requires a detailed and documented transfer impact assessment ("TIA").

Transfers between Jersey and the USA

The replacement of the Privacy Shield transfer scheme (invalidated by Schrems II) by the EU-US Privacy Data Privacy Framework means that Jersey controllers and processors are in principle able to utilise the new Framework for data transfers. However, the US Department of Commerce is yet to extend the scope of the Framework to cover Jersey and accordingly it is recommended that Jersey controllers and processors continue to utilise standard contractual clauses in respect of transfers between Jersey and the US.

What about the UK?

The European Commission has now recognised the UK as an adequate jurisdiction for the purposes of international data transfer and the UK has in turn recognised Jersey as an adequate jurisdiction for the purposes of the UK GDPR  meaning that transfers to and from the UK and Jersey may continue without restriction.

Jersey controllers and processors who are subject to the UK GDPR by virtue of its extra territoriality provisions will also need to consider whether they may need to continue using the existing standard contractual clauses or the UK International Data Transfer Agreement.

The Cybercrime Law No. (27) of 2015 (‘Cybercrime Law’) generally acts to criminalise unlawful access to websites or information systems such as access without authorisation, permission or in a manner that breaches the said authorisation or permission.  

Anyone who intentionally enters a computer network or an information system by any means without authorisation, or in violation of or exceeding the authorisation, shall be punished by imprisonment for a period of no less than a week and not exceeding three months, or by a fine of no less than (100) one hundred dinars and not more than (200) two hundred dinars, or both of these penalties. 

 If the entry stipulated above is accompanied with the intention to cancel, delete, add, destroy, disclose, damage, withhold, modify, change, transfer or copy data or information, or stop or disrupt the work of the information network or the information network information system, then the offender shall be imprisoned for a period of not less than three months and not exceeding one year and a fine of no less than (200) two hundred dinars and not more than (1,000) one thousand dinars.

Transfers of personal data are allowed if they do not violate the rights and freedoms of a personal data subject and do not affect the legitimate interests of other individuals and / or legal entities.

The transfer of personal data in cases that go beyond the previously stated purposes of its collection is permitted if carried out with the consent of a personal data subject or his / her legal representative.

The cross-border transfer of personal data to other countries is carried out only in cases where such countries ensure protection of personal data.

The cross-border transfer of personal data to countries that do not ensure protection of personal data is possible:

• with the consent of the personal data subject or his / her legal representative to the cross-border transfer of his / her personal data;
• in cases stipulated by international treaties ratified by Kazakhstan;
• in cases provided for by Kazakh law, if it is necessary for protecting the constitutional system, public order and public health and morals and rights and the freedoms of a person in Kazakhstan;
• in case of protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his / her legal representative is impossible.

Kazakh law may in certain cases prohibit the cross-border transfer of personal data.

Part VI of the Act

The transfer of personal data outside Kenya is highly regulated under the Act. Prior to any transfer the data controller or data processor must provide proof to the DPC on the appropriate safeguards with respect to the security and protection of the personal data including jurisdictions with similar data protection laws.

The consent of the data subject is required for the transfer of sensitive personal data out of Kenya.

Under the Regulations, civil registration registries cannot transfer personal data collected for civil registration purposes outside Kenya without the written approval of the DPC.

The General Regulations elaborate in more detail transfer of personal data outside Kenya. They provide for 4 legal bases for the transfer of personal data out of the country which include:

1. appropriate data protection safeguards in the country or territory where recipient is based in;
2. adequacy: an adequacy decision made by the DPC that the country, territory or the international organization where data is being transferred ensures an adequate level of protection of personal data;
3. necessity: transfer is deemed to be necessary if it is:
   • for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
   • for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person;
   • for any matter of public interest;
   • for the establishment, exercise or defence of a legal claim in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
   • for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
4. consent of the data subject on the condition they have consented to the proposed transfer and have been informed of the possible risks of transfer.

In the context of transfer of personal data, the LPPD addresses two situations: 

• Transfer of personal data to countries and international organisations which ensure an adequate level of data protection, and
• Transfer of personal data to countries and international organisations which do not provide adequate level of data protection.

With regards to the transfer of personal data to countries or international organisations that ensure proper and adequate level of data protection, as per a Decision adopted by the IPA, the list of countries and international organisations providing proper data protection, the latest being adopted on 17 April 2024 (“the Decision”) includes the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Lichtenstein, and Norway.

Moreover, the LPPD expressly allows the IPA to rely on the decisions adopted by relevant EU bodies with regards to the transfer of personal data when drafting the list of approved countries providing adequate level of personal data protection (Article 46.2). Accordingly, based on the Decision, IPA considers some countries (including those outside the EU) to ensure proper level of data protection, in accordance with the EU Commission Decisions (Argentine, Andorra, Canada, Guernsey, Isle of Man, Jersey, Faroe Islands, Israel, Switzerland, New Zealand, Uruguay, Japan, United Kingdom, Republic of Korea and the United States of America).

With reference to the countries listed above, when transferring personal data, no special authorisation or permission is required from the IPA, provided the data subject is aware and informed that the personal data are being transferred, as required by the LPPD (Article 12.1.6). 

In case of transfer to third parties located in other countries, such application will depend on whether such countries are included in the list of the IPA Decision  or decisions of the EU Commission. 

With regards to the transfer of personal data to international organisations, the Decision of the IPA does not specifically identify or address international organisations providing adequate level of personal data protection. 

However, as a general principle, when deciding on the adequate level of data protection of another country or international organisation, the IPA shall firstly take account of the following elements (Article 47.1):

• The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectorial, including public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another country or international organisation which apply within that country or international organisation, case-law, as well as effective and enforceable data subject right and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
• The existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities;
• The international commitments the third countries or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data;
• The type of personal data to be processed;
• The purpose and duration of the proposed processing;
• The legal arrangement in the country of origin and the recipient country, including the legal arrangement for protection of personal data of foreign citizens;
• The measures to secure personal data used in such countries and international organisations. 

In addition, the above, in its decision-making process the IPA will particularly pay attention on (Article 47.2):

• Whether the personal data to be transferred will be or are used solely for the purpose of which they are being transferred, or whether the purpose may change only on the basis of a permission of the data controller supplying the data or on the basis of personal consent of the data subject;
• Whether the data subject has the possibility of determining the purpose for which his or her personal data will be used, to whom they are being transferred and the possibility of correcting or erasing inaccurate or out-dated personal data, unless this is prevented due to the secrecy of the procedure by binding international treaties;
• Whether the foreign data controller or data processor performs adequate organisational and technical procedures and measures to protect personal data;
• Whether there is an assigned contact person authorised to provide information to the data subject or to the IPA on the processing of personal data transferred;
• Whether the foreign data recipient may further transfer personal data, which may be done only on the condition that another foreign data recipient to whom personal data will be disclosed ensures adequate protection of personal data also for foreign citizens;
• Whether effective legal protection is ensured for data subjects whose personal data were or are being transferred. 

In accordance with the above, it is safe to assume that international organisations fulfilling the listed criteria will be considered as providing adequate level of personal data protection. Additionally, international organisations deemed as providing adequate level of personal data protection by the EU Commission, may also be accepted by the IPA (Article 46.2).

Pursuant to the Data Protection Regulation, service providers are required to inform their users about the purposes of data processing, provide a description of the categories of data subjects and types of personal data involved, and disclose any transfer of personal data to foreign countries, specifying the names of those countries. The records must also include a general description of the technical and organizational security measures applied during processing activities, including data transfers.

The E-Commerce Law also includes a general obligation prohibiting data controllers from transferring any information in an illegal manner without the consent of the concerned person or his or her representative.

The Law on Personal Data allows transfer of personal data both within the country and abroad.

Transfer of personal data within the Kyrgyz Republic

• Data subject must be informed (in any form within a week);
• Personal data may be transferred without consent of the data subject in
  the following cases:
  • Extreme necessity in order to protect the interests of the data subject;
  • Upon request of state authorities, local authorities, if the requested list of personal data fall under the competence of the requesting authority;
  • Under any other case established by laws of the Kyrgyz Republic.

Transfer of personal data outside the Kyrgyz Republic

• The cross-border transfer is carried out on the basis of an international treaty between the countries, under which the receiving party must provide adequate protection of the personal data;
• Consent of the data subject has been obtained; or
• Personal data may be transferred to the countries that do not provide the adequate level of protection on certain conditions:
  • With consent of the data subject;
  • If the transfer is necessary to protect the data subject's interests; or
  • If personal data are contained in the Public Personal Data database.

When transferring personal data to the global information network (internet, etc.) the Holder of the personal data (ie. the data controller) transferring such data, shall provide the necessary means of protection with regard to the confidentiality of the information being transferred.

The Law on Electronic Data Protection provides that the transfer of data must abide by the following requirements:

• the Information Owner has given its consent for the transfer of the electronic data, and the individual or legal entity;
• transferring the electronic data ensures that the receiving entity can protect the electronic data properly;
• documents concerning important information, such as financial, banking, investment, and accounting information, must be encrypted;
• information which is transferred or submitted must not be distorted;
• the transfer must be in line with the agreement between the sender and the recipient; and
• submission or transfer of data must be stopped when the receiver of the data does not intend to receive the information anymore.

The law does not address whether the requirements above should be applied to all individuals or entities, or only to the Data Administrator.

In addition, the Law on Electronic Data Protection emphasizes that any individual, legal entity, or organization contemplating sending or transferring personal data or official data (pertaining to governmental bodies) out of Laos must obtain the consent of the Information Owner, and ensure that such submission or transfer does not contravene the Lao laws without further details.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
4. The transfer is necessary for important reasons of public interest
5. The transfer is necessary for the establishment, exercise or defense of legal claims
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
7. The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Latvia regulation

The Personal Data Processing Law imposes a limitation period with respect to a data subject’s rights to information on the recipients or categories of recipients to whom the data have been transferred: the data subject has the right to receive information about transfers within the last 2 years. The Personal Data Processing Law does not provide any other derogations or additional requirements to the GDPR regarding the transferring of the data.

The Law is silent on cross-border data transfers.

The DP Act distinguishes between the transfer of personal information to a recipient in a Member State of the South African Development Community (SADC) that has transposed the SADC data protection requirements and the transfer of personal information to a Member state that has not transposed the SADC data protection requirements or to a non-Member State.

Personal information shall only be transferred to recipients in a Member State that has transposed the SADC data protection requirements:

• Where the recipient establishes that the data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller, or

• Where the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject's legitimate interests might be prejudiced by the transfer or the processing in the Member State

Further to the above, the DP Act requires that the controller make a provisional evaluation of the necessity for the transfer of the data. The recipient shall ensure that the necessity for the transfer of the data can be subsequently verified. The data controller shall ensure that the recipient shall process the personal information only for the purposes for which they were transferred.

Personal information may only be transferred to recipients, not SADC Member States subject to national law adopted pursuant to the SADC data protection requirements, if an adequate level of protection is ensured in the country of the recipient and the data is transferred solely to permit processing otherwise authorized to be undertaken by the controller.

The adequacy of the level of protection afforded by the relevant third country in question shall be assessed in the light of all the circumstances surrounding the relevant data transfer(s), particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing, the recipient’s country, the relevant laws in force in the third country and the professional rules and security measures which are complied with in that recipient’s country.

The transfer of data out of Liberia is not specifically addressed by any Liberian law. However, Article 36 of the ECOWAS Act, as relied on in Liberia as a secondary source of law, restricts data controller from transferring personal data outside an ECOWAS country except said non-member ECOWAS country provides “an adequate level of protection for privacy, freedoms and the fundamental rights of individuals in relation to the processing or possible processing of such data”. In such a case, the data controller shall notify the Data Protection Authority, which is the Liberia Telecommunications Authority (LTA), prior to transferring any personal data.

Section 9(c) of the CBL E-Payment Regulation (though governing the Banking and Finance sector of Liberia, provides that “the system (used or being used) should be hosted locally to provide ease of support and guarantee data ownership; however, if the system is hosted in another jurisdiction, licensed institutions shall ensure that the information requested are provide promptly and that the CBL has unfettered access to reports generated by the system”.

There are no provisions relating to internal data transfer. However, there are provisions relating to international data transfer which are specified in article 78 of Law no.6/2022 which states:

Article 78

If necessary to transfer personal data outside of Libya, due consideration must be given to an appropriate level of protection, specifically:

1. The nature of the personal data.
2. The source of the information included in the data.
3. The purposes for which the data is to be processed and its duration.
4. The country to which the data is being transferred, its international commitments, and the applicable law therein.
5. The relevant rules in that country.
6. The security measures taken to protect the data in that country.’

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules, standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained;
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. The transfer is necessary for important reasons of public interest;
5. The transfer is necessary for the establishment, exercise or defense of legal claims;
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Lithuania regulation

The Data Protection Law provides that the State Data Protection Inspectorate must issue an authorization for the transfer of personal data to a third country or an international organization under Art. 46(3) of the GDPR or a substantiated written refusal to issue such an authorization within a maximum of 20 working days.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes, among others, binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
4. The transfer is necessary for important reasons of public interest
5. The transfer is necessary for the establishment, exercise or defense of legal claims
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
7. The transfer is made from a register, which according to EU or Member State law, is intended to provide information to the public, subject to certain conditions

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State (transfers in response to such requests where there is no other legal basis for transfer will infringe the GDPR).

---

Luxembourg regulation

No specific provisions in the applicable local law.

The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data protection, unless the data subject has provided clear consent or the required legal conditions have been met, and the required filings have been made with the OPDP.

In view of the close relationship with Mainland China and the entry into force of the Chinese Personal Information Protection Law ("PIPL") with extraterritorial effect, the Macao Office for Personal Data Protection (OPDP) has urged local data controllers and processors to be aware of the data transfer requirements pursuant to the PIPL, including to proceed / take part in a data security assessment prior to the transfer of data from Mainland China to Macao.

The transfer of a data subject's personal data to a third party country is allowed only if the country guarantees to individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties.

The sufficiency of the protection is assessed by considering all the circumstances surrounding the transfer, in particular the nature of the data, the purpose and the duration of the proposed processing, country of origin and country of final destination, rules of law, both general and sectorial in force in the country in question and any relevant codes of conduct or other rules and security measures which are complied with in that country.

Data controllers may transfer personal data to a third country that is not deemed to offer adequate protection only if:

• the data subject consents and duly informed of the absence of adequate protection;
• the transfer is necessary:
  • for the performance of a contract between the data controller and the individual, or pre-contractual measures;
  • undertaken at the individual's request;
  • for the conclusion or the performance of a contract in the interest of the individual, between the data controllers and a third party;
  • for the protection of the public interest;
  • for consultation of a public register intended for the public's information;
  • to comply with obligations allowing the acknowledgment, the exercise or the defense of a legal right.

In all cases, the data recipient in the third party country cannot transfer personal data to another country, except with the authorisation of the first data controller and the CMIL.

Under the PDPA, a data user / data controller may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, this provision together with the whitelist regime are removed under the Amending Act.

Pursuant to the Amending Act, the data users / data controllers may transfer any personal data of a data subject out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection. These amendments will come into force on April 01, 2025.

Even if these requirements are not satisfied, the cross-border transfer is permissible if it falls within the exceptions to this restriction under the PDPA, including the following:

• The data subject has given his or her consent to the transfer;
• The transfer is necessary for the performance of a contract between the data subject and the data user;
• The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA; and
• The transfer is necessary to protect the data subject’s vital interests.

Additionally, on October 01, 2024, the Commissioner issued the Public Consultation Paper No. 05/2024: Cross Border Personal Data Transfer Guidelines (“PCP No. 05/2024”) to gather public views and feedback on key aspects to be addressed in the proposed guidelines. It is essential to note that the PCP No.05/2024, among others, proposes that the data users /  data controllers, who wish to transfer the data out of Malaysia on the ground that the destination has laws that are substantially similar to PDPA or has equivalent levels of protection, must conduct a Transfer Impact Assessment (TIA). The PCP No. 05/2024 also proposes the adoption of cross border transfer mechanisms such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs).

The Cross Border Personal Data Transfer Guidelines are expected to be issued by early 2025, likely before April, as the amendments to the provisions on cross-border data transfer under the Amending Act will come into force on April 01, 2025.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes, among others, binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
4. The transfer is necessary for important reasons of public interest
5. The transfer is necessary for the establishment, exercise or defense of legal claims
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
7. The transfer is made from a register, which according to EU or Member State law, is intended to provide information to the public, subject to certain conditions

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State (transfers in response to such requests where there is no other legal basis for transfer will infringe the GDPR).

---

Malta regulation

The Act does not derogate or further regulate from the provisions of the GDPR in this regard.

A controller or processor may transfer personal data to another country where any of the following apply:

• It has provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
• The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer owing to the absence of appropriate safeguards;
• The transfer is necessary: (i) for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; (ii) for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person; (iii) for reasons of public interest as provided by law; (iv) for the establishment, exercise or defense of a legal claim; or (v) in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or (vi) for the purpose of compelling legitimate interests pursued by the controller or the processor which are not overridden by the interests, rights and freedoms of the data subjects involved and where: (A) the transfer is not repetitive and concerns a limited number of data subjects; and (B) the controller or processor has assessed all the circumstances surrounding the data transfer operation and has, based on such assessment, provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data; or
• The transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down by law for consultation are fulfilled in the particular case. Such transfer shall not involve the entirety of the personal data or entire categories of the personal data contained in the register and, where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or in case they are to be the recipients.

The Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the safeguards or the existence of compelling legitimate interests and may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as he may determine.

Mexican privacy laws distinguish between 'transfers' of personal data (to third parties) and transmissions of personal data (to processors). Under Mexican Privacy Laws, a 'transfer' is any communication or transmission of personal data by or on behalf of the Controller to a third party (not including a processor). Where the data controller intends to transfer personal data to domestic or foreign third parties other than a data processor, it must provide the third parties with the privacy notice provided to the data subject and the purposes to which the data subject has limited the data processing. In addition, the controller must notify data subjects in the privacy notice of the transfer, including:

• that the transfer may be made, as well as to whom and for what purposes the personal data may be transferred.
• where consent to the transfer is required, that the data subject consents and how the data subject can refuse to consent to the relevant transfer(s).

The purpose of the transfer must be limited to the purpose and conditions informed in the privacy notice and consented to by the data subject (as applicable).

The third-party recipient must assume the same obligations as the data controller who has transferred the data.

Domestic and international transfers of personal data may be carried out without the consent of the data subject where the transfer is:

• Pursuant to a law or treaty to which Mexico is party
• Necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management
• Made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies as the data controller (provided they will comply with principles of Mexican Privacy Laws, the privacy notice provided to data subjects and the other applicable internal policies regarding data protection)
• Necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject
• Necessary or legally required to safeguard public interest or for the administration of justice
• Necessary for the recognition, exercise or defense of a right in a judicial proceeding, or
• Necessary to maintain or comply with an obligation resulting from a legal relationship between the data controller and the data subject

The Regulations establish that communications or transmissions of personal data to processors do not need to be notified or consented to by the data subject. However, the data processor must do all of the following:

• Process personal data only according to the instructions of the data controller
• Not process personal data for a purpose other than as instructed by the data controller
• Implement the security measures required by the Law, the Regulations and other applicable laws and regulations
• Maintain the confidentiality of the personal data subject to processing
• Delete personal data that were processed after the legal relationship with the data controller ends or when instructed by the data controller, unless there is a legal requirement for the preservation of the personal data
• Not transfer personal data unless instructed by the data controller, the communication arises from subcontracting, or if so required by a competent authority

Transfers of personal data by a controller or a processor are permitted taking into account the principle of free movement of data to EU countries and to third countries that ensures an adequate level of protection of personal data subjects’ rights and of data intended for transfer. 

The NCPDP is in charge of maintaining the list of the countries that ensures an adequate level of protection of personal data subject’s rights. The list of such jurisdictions has been elaborated by the NCPDCP. The list may be consulted, by accessing the following link.

The Law on Personal Data Protection also includes a list of context specific derogations, permitting transfers to countries that do not ensure an adequate level of protection:

• if the transfer is provided under an international treaty to which Moldova is a signatory;
• the data subject consents to the transfer;
• if the transfer is necessary for the conclusion or performance of an agreement or contract concluded between the personal data subject and the controller or between the controller and a third party in the interest of the personal data subject;
• if the transfer is necessary in order to protect the life, physical integrity or health of the personal data subject;
• if the transfer is carried out solely for journalistic, artistic, scientific and archive purposes of public interest;
• if the transfer is made to other companies from the same group as the data controller, provided that the mandatory corporate rules are observed;the transfer is necessary for the accomplishment of an important public interest, such as national defence, public order or national security, carrying out in good order a criminal trial or ascertaining, exercising or defending a right in court, on the condition that the personal data is processed solely in relation to this purpose and only for longer period is necessary to achieve it;
• if the transfer is necessary for the establishment, exercise or defence of legal claims, whether when the courts are acting in their judicial capacity, or in the context of administrative or extrajudicial proceedings, including proceedings involving regulatory authorities; 
• if the processing takes place under the contract standard for cross-border data transmission, elaborated and approved by the NCPDCP, concluded by the data controller.

If only a data transfer agreement is to be concluded, our recommendation is to use as a template of data processing agreement the template approved by the NCPDCP. NCPDCP has elaborated the Standard Data Transfer Agreement, that may be used by the data controllers. Transferring data under this template elaborated by the NCPDCP shall be considered as an additional safeguard for the legitimacy of the transfer. The template Standard Data Transfer Agreement may be accessed here.

Monaco is not part of the EU, so the DPL does not distinguish between EEA jurisdictions and non-EEA jurisdictions.

However, the DPL provides that the transfer of data is authorized for cross-border access, storage and processing of data only to a country which offers equivalent data protection and reciprocity (and in particular circumstances, including for example when the data subjects gave his consent for such transfer or when the transfer of data is necessary to save his life or a public interest).

The CCIN has established a list of the countries deemed to offer equivalent protection and reciprocity.

Data transfers to countries with an adequate level of protection are not subject to the authorization by the CCIN.

The CCIN has adopted a position of principle and decided that all personal data transfers to a country or an organization which does not ensure an adequate level of protection should, in any event, be submitted to the Commission in the form of a transfer authorization application. Subsequently, the CCIN affirmed that it is necessary to submit a transfer authorization application to the Commission if personal data will be accessed from a country that does not have an adequate level of protection.

GDPR has an impact on data transfers to and from Monaco. Two situations must be distinguished:

• Companies of the European Union that want to send data to Monaco: 

They should no longer have to carry out any specific formalities with their supervisory authority as long as tools to protect the data are put in place between the European data controller and his subcontractor or subsidiary, notably:

o   An approved code of conduct pursuant to Article 40 of the GDPR;

o   An approved certification mechanism pursuant to Article 42 of the GDPR;

o   Standard data protection clauses approved by the European Commission (art.46);

o   Binding corporate rules (art.47); 

• Companies that want to send data from Monaco.

As described above, they are still subject to the data transfer formalities of the CCIN if they wish to send data to a country which does not have an adequate level of protection.

Under the Data Protection Law, transfer of Personal Data is prohibited unless otherwise approved under the relevant laws or permitted by the Data Owner.

Under the DP Law, personal data may be transferred to countries or international organizations, where an adequate level of personal data protection exists, subject to the DPA's approval. The DPA issues such approval only where it establishes that adequate measures for the protection of personal data are undertaken (criteria for the adequacy assessment include, for example, the type of the data and the statutory rules in force in the country to which the data is to be transferred).

However, in certain cases the DPA's approval is not required for data transfers out of Montenegro, as explicitly prescribed by the DP Law (e.g. if the data subject consented to the transfer and was made aware of possible consequences of such transfer, or the data is transferred to the European Union or European Economic Area or to any country that the EU Commission has determined ensure adequate level of the data protection).

Prior authorization from the National Commission is required before any transfer of personal data to a foreign state.

Further, the person in charge of the processing operation can transfer personal data to a foreign state only if the said state ensures under its applicable legal framework an adequate level of protection for the privacy and fundamental rights and freedoms of individuals regarding the processing to which these data is or might be subject, unless:

• The data subject has expressly consented to the transfer

• The transfer and subsequent processing is required for:

• Compliance with a legal obligation to which the concerned person or the person in charge of the processing are submitted

• The execution of a contract to which the concerned person is party or in the performance of pre-contractual measures taken at the request of the latter

• The protection of the vital interests of the relevant data subject, if that person is physically or legally unable to give its consent

• Performance of a task of public interest or related to the exercise of public authority, vested in the person in charge of the processing or the third party to whom the data are communicated

• Fulfillment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by the interests or fundamental rights and freedoms of the relevant data subject

In practice, we notice that CNDP interprets the exception of legitimate interests of the data processor very restrictively. CNDP is in general more comfortable relying on the data subject’s consent regarding any transfers to a foreign state.

The law does not generally restrict cross-border transfers of personal information. The Constitution of the Republic of Mozambique imposes restrictions on disclosures of personal information to third parties, unless prior consent from the data subject is obtained.

Although there is a prohibition against the transfer of personal data to a non-Member State under the AU Convention, this prohibition does not apply if said State ensures adequate level of protection of the privacy, freedoms and fundamental rights of the data subject. The AU Convention also requires that consent be sought from the national protection authority before the data controller may transfer the data to a third country. Currently, INTIC does not have such powers so the principle of consent of the data subject and the transfer of data to a country with an adequate data protection framework would apply. Notwithstanding, parties may approach INTIC for further guidance on this matter.

Data export requires authorization from the data subject or a court decision.

By implication from relevant laws, transfer of personal data requires consent.

There are no data transfer restrictions in place.

The 11th amendment to National Broadcasting Regulation which has been effective from 3rd March 2022, has mandated Over the Top ("OTT") service providers to store their customer data within servers in Nepal. Such requirements only extend to OTT service providers and the regulation has defined OTT as “the service of delivering any program according to the consumer's demand through the internet and without the use of cable or satellite television, and the term also refers to media streaming services on other platforms via the internet.” However, the National Broadcasting Regulation is silent on the methods / procedure / requirements for the transfer of such data outside Nepal.

Furthermore, the Information Technology Bill, 2019 (2075) (which is currently tabled in the parliament of Nepal), if implemented in its current form, then the prescribed data held by governmental, public, financial, and health-related authorities would be prohibited for export outside Nepal. Also, Bill to amend Record Protection Act 1989 (2046) would further prohibit to export records of national importance outside Nepal.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules, standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained;
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. The transfer is necessary for important reasons of public interest;
5. The transfer is necessary for the establishment, exercise or defence of legal claims;
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained;
7. The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Netherlands regulation

After the European Court of Justice Decision of 16 July 2020 (Schrems II), international data transfers to countries that don’t have an equivalent level of protection can take place, if such transfers are based on the 2021 EU Standard Contractual Clauses (SCC). In addition, such in compliance with EDPB guidance, a transfer impact assessment must be conducted in order to assess whether there are reasons to believe that the laws and practices in the third country of destination prevent the recipient from fulfilling its obligations under the SCC.

Generally, an agency should not disclose personal information to another entity unless the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained. Care must be taken that all safety and security precautions are met to ensure the safeguarding of that personal information to make certain that it is not misused or disclosed to any other party.

Transfer of personal information to another agency to hold as the transferring agency's agent (e.g. for safe custody or processing) is not considered a disclosure of the information for the purposes of the Act.

Agencies must not disclose personal information to a foreign person or entity unless the agency reasonably believes:

• the relevant individual authorises the disclosure after being informed by the agency that the foreign person or entity may not be required to protect the information in a way that provides comparable safeguards to those in the Act;
• the foreign person or entity is carrying on business in New Zealand and the agency reasonably believes that, in relation to the information being disclosed, the foreign person or entity is subject to the Act;
• the foreign person or entity is subject to privacy laws that provide comparable safeguards to those in the Act;
• the foreign person or entity is a participant in a prescribed binding scheme;
• the foreign person or entity is subject to privacy laws of a prescribed country; or
• the foreign person or entity is required to protect the information in a way that provides comparable safeguards to those in the Act (e.g. pursuant to contractual clauses). New Zealand's Privacy Commissioner has released model contractual clauses that can be used to satisfy these exceptions, but it is not mandatory to use these exact provisions.

Additionally, the Privacy Commissioner is given the power to prohibit a transfer of personal information from New Zealand to another state, territory, province or other part of a country (State) by issuing a transfer prohibition notice (Notice) if it is satisfied that information has been received in New Zealand from one State and will be transferred by an agency to a third State which does not provide comparable safeguards to the Act and the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the Organisation for Economic Co–operation and Development (OECD) Guidelines.

In considering whether to issue a Notice, the Privacy Commissioner must have regard to whether the proposed transfer of personal information affects, or would be likely to affect any individual, the desirability of facilitating the free flow of information between New Zealand and other States, and any existing or developing international guidelines relevant to trans–border data flows.

On December 19, 2012 the European Commission issued a decision formally declaring that New Zealand law provides a standard of data protection that is adequate for the purposes of EU law. This decision means that personal data can flow from the 27 EU member states to New Zealand for processing without any further safeguards being necessary.

Following the decision in the Schrems and Schrems II cases, there have been calls to review New Zealand's adequacy status, primarily due to New Zealand's membership with the Five Eyes network. In January 2024, the European Commission reviewed New Zealand's adequacy status. The review confirmed that New Zealand's adequacy status remains due to New Zealand's strengthened privacy legislation and clarification of certain privacy rules since the adoption of the initial adequacy decision, aligning it further with the EU framework.

Personal data may be assigned and transferred when the purposes are directly related to the legitimate interest of the assignor and the assignee and with the prior consent of the owner of the data, who must be informed about the purpose of the assignment and identify the assignee. 

The consent for the transfer is revocable, by written notification or by any other means that is equated, depending on the circumstances, to the person responsible for the data file.

Transfer of personal data to another country is allowed only when that country provides a superior or equivalent level of protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data (Article 62 of the Law).

The Nigeria Data Protection Act has provided in respect of transfer of personal data that such transfer is permissible if the recipient of the data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data.

To ensure the level of adequacy required by the recipient country of personal data, the following will occur:

• a data controller or processor shall record the basis for transfer and adequacy of protection in that country;
• the Commission may make regulations requiring data controllers and processors to notify it of the measures in place to explain their adequacy in accordance with the Act;
• the Commission may by regulation designate categories of personal data that are subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.

Other forms of assessment to be taken into account to ensure adequacy of protection include:

• availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law;
• existence of any appropriate instrument between the Commission and a competent authority in the recipient jurisdiction that ensures adequate data protection;
• access of a public authority to personal data;
• existence of an effective data protection law;
• existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers; and
• international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

The Commission shall issue guidelines for these assessments in line with the factors that have been outlined above. The Commission may determine if a country, region or specified sector within a country has the adequate level of protection. The Commission may approve binding corporate rules, codes of conduct, certification mechanisms or similar instruments for data transfer proposed to it if it meets the standards specified in this Act.

In the absence of adequacy of protection as specified by the Act, transfer of personal data from Nigeria to another country is possible if at least one of the following conditions are met:

• The data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;
• transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract;
• transfer is for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer or if it were reasonably practicable to obtain such consent, the data subject would likely give it;
• transfer is necessary for important reasons of public interest;
• transfer is necessary for the establishment, exercise, or defense of legal claims; or
• transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

Entities may transfer personal data which are subject to processing if the conditions set out in the DP Law are fulfilled and applied.

When transferring personal data to the EU or the European Economic Area (EEA), entities must notify the DPA at least 15 days before the transfer.

Transferring personal data to third countries or international organizations may be conducted only if the DPA deems that the third country or international organization provides adequate levels of protection. When assessing whether the third country or international organization has an adequate level of protection, the DPA considers several parameters, including, among others:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation and its implementation, professional rules and security measures (including rules for onward transfer), as well as effective and enforceable judgements applied to data subject and effective and administrative and judicial redress for data subjects whose personal data is transferred;
• the existence and effective functioning of one or more independent supervisory authorities in the third country or international organization;
• the international commitments the third country or international organization has entered into, or other obligations arising from legally binding conventions or instruments, in relation to the protection of personal data.

If the above criteria are met by the third country or international organization where the personal data will be transferred, the data transfer can be conducted on the basis of an adequacy decision adopted by the DPA.

The DPA has not yet adopted an adequacy decision. However, the DPA follows the practice of the European Union when it comes to implementing the data protection regulations, and it is expected that any such adequacy decision will be in line with an adequacy decision adopted by the European Commission.

The DP Law itself does not require a special / individual prior approval by the DPA (“Transfer Approval”) if an adequacy decision issued by the DPA for the (importing) third country or international organization exists or the below safeguards are provided (on condition that enforceable data subject rights and effective legal remedies for data subjects are available). However, up until this point in time, the DPA has had a conservative approach.

When an adequacy decision has not been adopted, personal data can be transferred to a third country or international organization only if the data controller or data processor apply appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules in accordance with the DP Law;
• standard data protection clauses determined by the DPA or approved by the European Commission;
• an approved code of conduct or approved certification mechanism pursuant to the DP Law together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards the data subjects’ rights.

Additionally, the DPA could approve the following appropriate safeguards:

• contractual clauses between the data controller and the data processor, as well as the data controller, the data processor or the recipient of the personal data in the third country or international organization; or
• provisions envisaged in administrative agreements between public authorities or bodies which contain applicable and effective data subject rights.

The DP Law also provides a list of derogations for specific situations, based on which a legitimate data transfer out of the Republic of North Macedonia is not conditioned upon a Transfer Approval (e.g. data subject’s consent, enforcement of a contract between a data subject and a data controller, etc.).

Unofficially, starting from 2022, the DPA requires the submission of a performed transfer impact assessment with each request for Transfer Approval when transferring personal data to third countries and international organizations.

Even if the requirements to submit a request for Transfer Approval are not met, but the cross-border transfer of personal data is based on other bases, controllers / processors should still perform a documented transfer impact assessment.

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

Please note that pursuant to a recent decision in the Court Justice of the European Union (Case C-311/18 Schrems II) the EU US Privacy Shield Framework may no longer serve as a legal basis for transfers of personal data between the EEA and USA.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These SCCs contain a practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary.

These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.

Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged.

On the 10^th of July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, which fosters trans-Atlantic data flows and addresses the concerns raised by the Court of Justice of the European Union in its Schrems II decision.

European entities are therefore able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defense of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

Section 16 of PECA 2016 prohibits the transmission of identity information of a person without consent.

Section 4 of PECA 2016 penalizes unauthorized copying and transmission of data with dishonest intentions, with imprisonment up to six months, or a fine up to one hundred thousand rupees, or both.

Section 7 of PECA 2016 penalizes unauthorized copying and transmission of critical infrastructure data with dishonest intentions, with imprisonment up to five years, or a fine up to five million rupees, or both. Under Section 2 of PECA 2016, critical infrastructure data means data that supports or performs a function with respect to a critical infrastructure, namely an asset, facility, system, network or process.

Section 42 of PECA 2016 allows for the Federal Government to transfer data to any foreign government, agency or any international organization for the purposes of investigations or proceedings, and for the collection of evidence concerning offences, upon receipt of a request of the designated investigation agency under PECA 2016.

In addition, Pakistan prohibits data transfers to any country that it does not recognize, including: Israel, Taiwan, Somaliland, Nagorno, Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia. This list may change from time to time. Additionally, data transfers to India must be justifiable by the transferor.

Data collated by banks, insurance firms, hospitals, defense establishments and other ‘sensitive’ institutions may not be transferred to any individual or body without authorization from the relevant regulator on a confidential basis. Such data is further regulated by contractual terms. In certain cases, data may not be transferred without authorization from the data subject.

However, banks and financial institutions must maintain confidentiality in banking transactions.

Similarly, the PDPB, which is yet to be promulgated, proposes prohibiting the transfer of personal data to unauthorized persons or systems. Where the transfer of personal data pertains to a transfer to a territory outside of Pakistan, the PDPB would require the territory where personal data is to be transferred to offer an equivalent degree of personal data protection as that provided for in Pakistan, provided that such data transfer is done in accordance with a framework for the transfer of personal data outside of Pakistan as devised by the Commission.

With regards to personal data, the Constitution states that individuals must give their consent in order for their personal data to be transferred or processed in any way. 

The Data Protection Law clearly states that in no case may the data controller or the data processor transfer or communicate the data related to an identified or identifiable person, after seven years have elapsed since the legal obligation of kept said personal data, unless the data subject expressly requests otherwise. Data controllers can only transfer personal data when they have the prior, informed and unequivocal consent of the data subject, with the exceptions included in the Data Protection Law. 

Additionally, the Data Protection Law allows for cross-border transfer of personal data, if any of the following conditions are met: 

• With the data subject’s consent
• The recipient country or international or supranational organization provides an equivalent or a higher level of protection
• If necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the management of health services
• If made to any company of the same economic group of the data controller, provided that the personal data is not used for different purposes that originated their collection
• If necessary under an executed or soon to be executed contract in unambiguous interest of the data subject, by the controller and a third party
• If necessary or legally required for the safeguard of a public interest or for the legal representation of the data subject or administration of justice
• If necessary for the recognition, exercise or defense of a right in a judicial process, or in cases of international judicial collaboration
• If necessary for the maintenance or fulfilment of a legal relationship between the data controller and the data subject
• If required to conclude bank or stock transfers, relative to the respective transactions and according to the legislation that is applicable to them
• If the objective is international cooperation among intelligence agencies for the fight against organized crime, terrorism, money laundering, computer crimes, child pornography and drug trafficking
• If the data controller responsible for the data transfer and the recipient adopt mechanisms of binding self-regulation, provided that they are in accordance with the provisions of the Data Protection Law
• If carried out within the framework of contractual clauses that contain mechanisms for protection of personal data in accordance with the provisions set out in the Data Protection Law, provided that the data subject is a party

In all cases, the data controller responsible for the data transfer and the recipient of the personal data will be responsible for the legality of the data processing.

The Personal Credit Data Protection Law establishes that international transfers of personal data to a recipient that is in a third country (as defined under the Law),  or to an international organization where the guarantees, requirements and/or exceptions established in the Law are not met, is a violation of applicable data protection law and, thus, can be subject to sanctions (Art. 21.x. of the Law).

Under current legislation, there are no other specific provisions that regulate the transfer of private information. However, the transfer of private information is considered as a form of data processing, so the same rules than for collection and processing personal data applies (Art. 3.e. of the Law – definition treatment of data).

Where personal data is transferred to another entity, recipients must be required to handle such personal data in accordance with the provisions of the PDPL and its Regulation.

Generally, data subject consent is required.

Cross-border transfers

The transferring entity may not transfer personal data to a country that does not afford adequate protection levels (protections that are equivalent to those afforded by the PDPL or similar international standards). If the receiving country does not meet these standards, the sender must ensure that the receiver in the foreign country is contractually obligated to provide 'adequate protection levels’ to the personal data, such as via a written agreement that requires that the personal data will be protected in accordance with the requirements of the PDPL, or under one of the following circumstances:

• In accordance with international treaties in which Peru is a party
• For purposes of international judicial cooperation or international cooperation among intelligence agencies to combat
  • Terrorism
  • Drug trafficking
  • Money laundry
  • Corruption
  • Human trafficking, and
  • Other forms of organized crime
• When necessary for a contractual relationship with the data subject, or for a scientific or professional relationship
• Bank or stock transfers concerning transactions in accordance with the applicable law
• The transfer is performed to protect, prevent, diagnose or medically or surgically treat the data subject, or to perform studies of epidemiology or the like, provided a data dissociation procedure has been applied
• The owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer to the inadequate jurisdiction
• Other exempt purposes established by the Regulations

For both domestic and cross-border transfers, the recipient must assume the same obligations as the transferor of the personal data. The transfer must be formalized, such as by binding written contract, and capable of demonstrating that the holder of the database or the data controller communicated to the recipients the conditions in which the data subject consented to their processing.

As an alternative to the above mentioned “adequate transfer” requirement, a Data Controller may execute with a Data Processor (or other Data Controller) the standard contractual clauses already approved by the Peruvian Data Protection Authority, which include several obligations and declarations regarding the data transfer between the parties.

Each PIC is responsible for Personal Information under its control or custody that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.

Transfers may involve either data sharing or outsourcing arrangements. “Data sharing” is the disclosure or transfer to a third party of Personal Information under the custody of a PIC or PIP. In the case of the latter, such disclosure or transfer must have been upon the instructions of the PIC concerned. The term excludes “outsourcing,” or the disclosure or transfer of personal data by a PIC to a PIP.

Data sharing and outsourcing arrangements must be undertaken in accordance with the requirements under the Act, which includes the execution of the appropriate agreements. The NPC has likewise issued a circular which provides guidelines on data sharing agreements, including the contents thereof.

In May 2024, the NPC issued guidelines on model contractual clauses that PICs and PIPs may include in binding legal agreements governing cross-border transfers of Personal Data.

EU regulation

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1) of GDPR). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

It is worth mentioning that the European Commission has adopted an adequacy decision in relation to the EU-US data protection framework. The decision states that the US provides an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to US companies under the new framework.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The EU-US Privacy Shield Framework does not constitute an appropriate safeguard for transferring personal data to the USA since the European Commission Decision 2016/1250 (which was the legal basis for the EU-US Privacy Shield) has been invalidated by the European Court of Justice on 16 July 2020 (Case C-311/18, Schrems II). The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. Explicit informed consent has been obtained
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
4. The transfer is necessary for important reasons of public interest
5. The transfer is necessary for the establishment, exercise or defense of legal claims
6. The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
7. The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Portugal regulation

Transfers to non-EU/EEA countries or international organizations follow GDPR rules. In respect of transfers of personal data to third countries or international organizations, where the processing is necessary for compliance with a legal obligation and where it is carried out by public entities in the exercise of authority powers, said transfers shall be considered as in the public interest.

Data controllers may collect, process and transfer personal data when the data subject consents, unless deemed necessary for realizing a 'lawful purpose' for the controller or for the third party to whom the personal data is sent. The data controller has to demonstrate, when disclosing and transferring personal data to the data processor, that the transfer is for a lawful purpose and that the transfer of data is made pursuant to the provisions of the Data Protection Law.

Data controllers should not take measures or adopt procedures that may curb trans-border data flow, unless processing such data violates the provisions of the Data Protection Law or will cause gross damage to the data subject. The Data Protection Law defines 'trans-border data flow' as accessing, viewing, retrieving, using or storing personal data without the constraints of state borders.

Data controllers may transfer personal data out of the QFC if the personal data is being transferred to a Recipient in a jurisdiction that the  DPO has decided has laws and regulations that ensure an adequate level of protection for that personal data. The DPO has produced a list of jurisdictions which it deems to have such adequate levels of protection and may also take the following factors into consideration when assessing the adequacy of the level of protection ensured by laws and regulations to which the Recipient is subject to:

• The rule of law, the general respect for individual's rights and the ability of individuals to enforce their rights by administrative or judicial means;
• The access of public authorities to personal data;
• The existence of effective data protection regulations including on onward transfer of personal data to another jurisdiction;
• The existence and functioning of one or more independent supervisory authorities with adequate enforcement powers;
• International commitments and conventions binding on the jurisdiction and its membership of any multilateral or regional organizations;
• Decisions taken by other data protection authorities where their decisions take into consideration the same factors as those the DPO does.

In the absence of an adequate level of protection, data controllers may transfer personal data out of the QFC if any of the following are true:

• The data controller or data processor have appropriate adequate safeguards including enforceable rights and remedies for the data subjects which may be provided by a legally binding and enforceable arrangement between public authorities or a legally binding and enforceable agreement between parties which contain data protection clauses adopted by the DPO;
• The data subject has been informed of the risks of such transfer and has given his / her explicit consent to the proposed transfer;
• Transfer is necessary for the performance of a contract between the data subject and the data controller, or the implementation of pre-contractual measures taken in response to the data subject’s request;
• Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party;
• Transfer is legally required for the purposes of the data controller's or data processor's compliance with a legal obligation;
• Transfer is necessary in order to protect the vital interests of the data subject;
• Transfer is necessary to perform a task carried out in the public interest or by any of the following authorities in the performs of their functions, the QFC Authority, the QFC Regulatory Authority, the QFC Civil and Commercial Court, the QFC Regulatory Tribunal or a QFC Institution;
• Transfer is necessary for the establishment, exercise or defense of a legal claim.

If none of the above are applicable, a data controller may transfer personal data out of the QFC only if:

• DPO has granted a permit for the transfer or the set of transfers and the data controller applies adequate safeguards with respect to the protection of this personal;
• The transfer is based on binding corporate rules that fulfil the requirements of the DPR and approved by the DPO or another internationally acceptable transfer mechanism approved by the DPO; or
• The transfer:
  • Is not repeating or not part of a repetitive course of transfers;
  • Concerns only a limited number of data subjects;
  • Does not contain sensitive personal data;
  • Is for the purposes of the legitimate interests of the data controller or third party to which the data is disclosed unless sch legitimate interests are overridden by those of the data subject; and
  • The data controller has completed a documented assessment of the circumstances surrounding the data transfer and has provided adequate safeguards with regard to the protection of the personal data.

Cross-border transfer of personal data is only allowed if the receiving state offers a similar protection of personal data and the Commission is notified in advance of the intention to transfer data to a third country.

EU regulation

Transfers of personal data by a controller or a processor to countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted when certain conditions are met.

The European Commission has the power to make an adequacy decision in respect of non-EU countries, determining that it provides for an adequate level of data protection, and thereby permitting personal data to be freely transferred to that country. 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes, among other things, binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where any of the following apply: 

• Explicit informed consent has been obtained
• The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
• The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
• The transfer is necessary for important reasons of public interest
• The transfer is necessary for the establishment, exercise or defence of legal claims
• The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained 
• The transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU are only recognized or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Romania regulation

No specific provisions / derogations are provided by Law no. 190/2018 with respect to personal data transfers.

According to recently adopted amendments to the law, prior to a transfer of personal data out of Russia, the data controller must notify Roskomnadzor on cross-border data transferring.

The law distinguishes between the countries that provide adequate protection of personal data and countries that do not provide adequate protection of personal data. This differentiation impacts the procedure of data transferring as commented below.

The fact that the recipient state ratified the Convention is sufficient ground to deem that the state provides adequate protection of personal data for the purposes of the DPA.

In addition to the above, the Roskomnadzor issued the Order No. 274 of 15 March 2013 'On endorsement of the List of the Foreign States Which are Not Parties to the EC Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data'. The Order contains the list of countries which are officially recognized by Russian authorities as 'ensuring adequate protection'. Apart from the Member States of the Convention, there are 23 so 'white-listed' states as of today.

In connection to both types of countries Roskomnadzor has the right to restrict cross-border transfers. For the countries which provide the adequate protection of personal data the controller must notify Roskomnadzor beforehand but may commence the cross-border data transfer without waiting for Roskomnadzor’s express or tacit approval of the transfer (and has to discontinue such transferring if Roskomnadzor objects). For the countries which do not provide the adequate protection of personal data for the purposes of the DPA, the transfer to those countries is not permissible until Roskomnadzor issues the express or tacit approval within the statutory set timeframes.

The transfer of personal data outside of Rwanda is only permitted for the following cases (article 48): 

• the DC or DP has obtained authorization from the NCSA after providing proof of appropriate safeguards with respect to the protection of personal data;
• the data subject has given his or her consent;
• the transfer is necessary:
  • for the performance of a contract between the data subject and the DC or the implementation of a pre-contractual measures taken in response to the data subject’s request;
  • for the performance of a contract concluded in the interest of the data subject between the DC and a third party;
  • for public interest grounds;
  • for the establishment, exercise, or defense of a legal claim;
  • to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving his or her consent;
  • for the purpose of compelling legitimate interests pursued by the DC or by the DP, which are not overridden by the interests, rights and freedoms of the data subject and when:
    • transfer is not repetitive and concerns only a limited number of data subjects;
    • the data controller or the data processor has assessed all the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data;
  • for the performance of international instruments ratified by Rwanda. 

The DC or DP transferring personal data outside of Rwanda must enter into a written contract with the transferee setting out the respective roles and responsibilities of each party to ensure compliance with the Data Protection Law (article 49). 

A regulation from the NCSA determining the form of contract to be used for transfers of personal data outside Rwanda is yet to be adopted (article 49).

There are detailed rules relating to the transfer of personal data outside of KSA. The PDPL allows for the transfer of personal data outside of KSA for several purposes (for example, if such action is taken to meet an obligation to which the data subject is a party) and subject to various conditions (for example, the transfer or disclosure must not compromise the national security or vital interests of KSA and be limited to the minimum amount of personal data needed).

Subject to such requirements and conditions, the Transfer Regulations have introduced a number of circumstances where a cross border transfer of personal data is permissible. This includes to countries with appropriate levels of protection and no less than the protections afforded under the PDPL.

However, transfers of personal data to countries which are not deemed as having an adequate level of protection may still be made where "appropriate safeguards" are put in place. If the data controller is unable to use any of the appropriate safeguards, there are still limited cases where cross border transfers are permissible. Such transfers are still however subject to various controls.

In addition, in certain contexts or sectors, specific approvals may be required - for example, in a banking context, approval from the Saudi Central Bank.

Under Senegalese law it is possible to transfer personal  data to a third country. When transferring data to a foreign country, the controller is required to submit a duly motivated request to the Personal Data Protection Commission if the transfer lacks an adequate level of protection. This request is possible only when the controller provides a sufficient guarantee of protection of the rights of the data subject regarding compliance with the privacy of the fundamental rights and freedoms of individuals concerned and the exercise of the corresponding rights.

The level of protection in question is assessed in the light of, inter alia, the security measures, the specific processing characteristics such as its purpose, duration, nature, origin and the destination of the processed data.¹

There are a number of obligations that affect the controller. The data transfer can only be made in a country that offers the same guarantees of protection as Senegal unless the request is accepted.

In derogation of the obligation of the recipient country of the data subject of the transfer, the law provides for the possibility of transferring data to a third country which does not offer the same level of protection, subject to certain conditions.

Indeed, this transfer must be punctual, non-massive and the person to whom the data relates must express his / her consent to a transfer of these data. It must also be expressed if the transfer is necessary to one of the following conditions:

• to safeguard the life of this person;
• the safeguarding of the public interest;
• compliance with obligations to ensure the recognition, exercise or defense of a right to justice;
• to the execution of a contract between the controller and the person concerned, or
• pre-contractual measures taken at the request of the latter.

Under the previous data protection law, the DPA’s prior approval was a precondition for a legitimate data transfer whenever a transfer was to be made to any country which had not signed and ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Relevant Convention"). The data transfer regime has now been completely revamped and liberalized under the DP Law, which is a much-welcomed change from the previous overly restrictive concept. The DP Law explicitly applies to both direct and indirect data transfers, unlike the previous law for which it was not fully clear whether it covers indirect transfers at all.

This means that, under the DP Law, substantially the same as under the GDPR, there is a whole set of mechanisms enabling legitimate data transfer out of Serbia. Specifically, subject to circumstances of each particular case, controllers will be entitled to transfer personal data abroad if one of the following situations (among others) occurs:

• Personal data is to be transferred to a country that ratified the Relevant Convention.
• Data transfers are to a country included on the Serbian government’s list of countries providing an adequate level of data protection (EU Countries, other countries which are member states of the Relevant Convention and some other countries such as, for example, Canada (for business subjects only) and Japan).
• Data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers.
• The transfer is based on the standard contractual clauses prepared by the Serbian DPA.
• The transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates issued in accordance with the law.
• The Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between the data exporter and the data importer.
• The data subject has explicitly consented to the proposed transfer, after having been informed on the possible risks.

This should create more options for the transfer of data to non-European countries, especially since the DPA has prepared the aforementioned standard contractual clauses, which are adopted and applicable as of 30 January 2020 (keeping however in mind that, under the DP Law, the respective SCC mechanism will be available only when a data importer is a data processor). In addition, when it comes to the process of obtaining the DPA’s aforementioned specific approval for a data transfer, such procedure should be completed within 60 days, as explicitly prescribed under the DP Law.

If it appears to the Data Protection Commissioner that a person registered as a data user (or as a data user who also carries on a computer bureau) intends to transfer personal data held by him to a place outside the Seychelles, the Data Protection Commissioner may, if satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle, serve that person with a transfer prohibition notice prohibiting him from transferring the data either absolutely or until he has taken such steps as are specified in the notice for protecting the interests of the data subjects in question.

In deciding whether to serve a transfer prohibition notice, the Data Protection Commissioner shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between the Seychelles and other states.

A transfer prohibition notice shall specify the time when it is to take effect and contain a statement of the principle or principles which the Data Protection Commissioner is satisfied are contravened and his reasons for reaching that conclusion, as well as particulars of the right of appeal conferred by the Act.

The Data Protection Commissioner may cancel a transfer prohibition notice by written notification to the person on whom it was served.

No transfer prohibition notice shall prohibit the transfer of any data where the transfer of the information constituting the data is required or authorised by or under any enactment or is required by any convention or other instrument imposing an international obligation on the Seychelles.

Any person who contravenes a transfer prohibition notice shall be guilty of an offence but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to avoid a contravention of the notice in question.

In disclosing or transferring personal data to onshore third parties (including affiliates), an organization should ensure that it has obtained the individual's deemed or express consent to such transfer (unless exemptions apply) and, if this was not done at the time the data was collected, additional consent will be required (unless exemptions apply).

It is also a requirement under the Act for organizations to enter into written agreements with their data intermediaries to whom they transfer personal data and who process such data on behalf of the organizations.

The Act also contains offshore transfer restrictions, which require an organization to ensure that the receiving organization has in place "comparable protection" to the standards set out in the Act when transferring personal data outside of Singapore. Mechanisms to achieve this include (this is not a comprehensive list): data transfer agreements (for which the Commission has released suggested sample clauses); the individual has given consent (provided required notices have been given to the individual setting out the basis upon which their data will be protected in the country or territory to which their personal data will be transferred); and where transfers are considered necessary in certain prescribed circumstances (which include in connection with performance of contracts between the transferring organization and the individual, subject to certain conditions being met). An organization may apply to be exempted from any requirement prescribed under the Act in respect of any transfer of personal data out of Singapore. An exemption may be granted on such conditions as the Commission may require.

The Amendment Act provides for a new right of data portability on electronic data (this right is expected to come into force soon). Individuals may request an organization (“Porting Organization”) to transmit certain data about them to another organization. The Porting Organization must have an ongoing relationship with the individual, and have collected or created such data.

The Commission has published guides to data sharing (covering intragroup and third party sharing) with practical nonbinding guidance on data transfer / sharing for organizations, as well as DPMP and DPIA guides (see Collection & Processing).

National Ordinance Personal Data Protection 

Contains no clauses. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR (Article 49) also includes a list of context specific derogations, permitting transfers to third countries where:

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

---

Slovak Republic regulation

Pursuant to the GDPR, the free movement of personal data between the Slovak Republic and EU Member States is guaranteed; the Slovak Republic shall not restrict or prohibit the transfer of personal data in order to protect the fundamental rights of natural persons, in particular their right to privacy in connection with the processing of their personal data.

The transfer of personal data to third countries or international organisations is governed by the GDPR.

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein, and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44 GDPR).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1) GDPR).

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise, or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals, or administrative authorities of countries outside the EU (Article 48 GDPR) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

No general additional requirements relating to transfers are introduced by ZVOP-2.

POPIA caters for two scenarios relating to the transfer of personal information, namely where a responsible party in South Africa sends personal information to another country to be processed and where a responsible party in South Africa processes personal information that has been received from outside South Africa.

Receiving personal information from other countries

The requirements for the processing of personal information prescribed in POPIA will apply to any personal information processed in South Africa, irrespective of its origin.

Sending personal information to other countries for processing

A responsible party in South Africa may not transfer personal information to a third party in another country unless:

• The recipient is subject to a law, binding corporate rules or a binding agreement which:
  • Upholds principles for reasonable processing of the information that are substantially similar to the conditions contained in POPIA; and
  • Includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties who are in another country;
• The data subject consents to the transfer;
• The transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; or
• The transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; or
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party, or the transfer is for the benefit of the data subject and:
  • It is not reasonably practicable to obtain the consent of the data subject to that transfer; and
  • If it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

As a general rule, a personal data controller may not provide personal information to a third party without obtaining the prior opt in consent of the data subject.

Exceptions to the general rule above apply in the following cases:

• Where there exists special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and subordinate statute;
• Where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc;
• Where it is deemed manifestly necessary for the protection of life, bodily and property interests of a data subject or a third party where imminently endangered;
• Where it is necessary to attain the legitimate interests of a personal data controller, the interest of which is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal information controller and does not go beyond a reasonable scope; and
• Where it is urgently necessary for the public safety and security, public health, etc.

Under the PIPA, a personal data controller must obtain consent after it notifies the data subject of:

• recipient of personal information;
• purposes for which the recipient of personal information uses such information;
• particulars of personal information to be provided;
• period during which the recipient retains and uses personal information;
• the fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

When a business transfer occurs, the personal data controller may transfer personal information without consent; provided that it must provide its data subjects a chance to opt out by providing a notice of:

• expected personal information transfer;
• contact information of the recipient of the personal information, including the name, address, telephone number and other contact details of the recipient; and
• means and process by which the data subjects may refuse to consent to the transfer of personal information.

In addition to the restrictions set out above, consent must be received as a general rule for the cross-border transfer of personal information under the PIPA, however, consent need not be received in the following cases:

• Where there are special provisions on cross-border transfers under laws, treaties or other international agreements;
• Where delegation of processing or storage is necessary for the execution and performance of agreements with data subjects and such details are disclosed in the privacy policy or notified to the data subjects via email, etc.;
• Where the recipient of personal information has taken all necessary measures, such as authentication and safety measures required by the PIPC, such as ISMS-P; or
• Where the countries or international organizations that personal information is transferred to are recognized by the PIPC as having an adequate level of protection.

When obtaining consent for cross-border transfers, personal data controllers must notify the following:

• Specific information to be transferred overseas;
• Destination country;
• Date, time, and method of transmission;
• Name and the contact information of the third party;
• Third party's purpose of use of the personal information and the period of retention and usage; and
• Method and procedure for rejecting the cross-border transfer and the consequences thereof.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules or EU/AEPD standard contractual clauses (a new version of which was approved by the EU Commission in June 2021). The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities (which remains under NLOPD, however, when EU/AEPD standard contractual clauses are replaced by other sets of clauses or other safeguards).

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

1. explicit informed consent has been obtained;
2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

The PDPA allows for cross-border data flow and the processing of data in a third country outside Sri Lanka, subject to the parameters set out in the PDPA.

In case of a public authority acting as a controller or a processor, such transfer should only be made to a third country prescribed pursuant to an adequacy decision. The Minister in charge of the subject matter has the power to make an adequacy decision in consultation with the Authority, and factors such as the relevant written laws and the enforcement mechanisms available in such third country will be considered in making such an adequacy decision.

A controller or processer that is not a public authority may also process personal data in a third country subject to an adequacy decision. If no adequacy decision has been made, personal data may be transferred to such third country only where the controller or processor effecting such transfer is able to ensure compliance with the obligations imposed under Part I, II and sections 20 to 25 of the PDPA by the imposition of appropriate safeguards. The transferor effecting such transfer is required to adopt an instrument that may be specified by the Authority in order to ensure compliance with the provisions of the PDPA by the transferee.

It is noteworthy that no such adequacy decisions have been made yet, considering the fact that the majority of the law is yet to become operative.

In the absence of an adequacy decision or appropriate safeguards, the PDPA provides the following limited instances where personal data could still be transferred to a third country (provided that the transferor in such instance is not a public authority):

• the data subject has explicitly consented, upon having been informed of the risks of such processing;
• the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of any pre-contractual measures taken by the controller at the request of the data subject;
• the transfer is necessary for the establishment, exercise or defence of legal claims relating to the data subject;
• the transfer is necessary for reasons of public interest;
• the transfer is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another person and where the data subject is incapable of giving consent; or
• any other condition that may be prescribed under the PDPA in the future.

EU regulation

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, in which an adequate level of protection for personal data transferred from the EU to US companies that have joined the framework is ensured in accordance with GDPR Art. 45. 

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council. In line with this obligation, the Commission published its Report on the first periodic review of the adequacy decision for Japan on 4 April 2023. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC. On 9 October 2024, the Commission published its Report on the first review of the functioning of the adequacy decision on the EU-US Data Privacy Framework.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

On 16 July 2020, the Court of Justice of the European Union's ("CJEU") invalidated the EU-US Privacy Shield in the so called Screms II case (judgement of the CJEU in Case C-311/18). Moreover, the CJEU clarified that exporters of personal data to third countries may continue to rely on standard contractual clauses. When doing so, however, exporters need to carry out a so-called transfer impact assessment and implement supplementary measures as necessary in each individual case, in order to be able to ensure that a level of protection essentially equivalent to that which is guaranteed within the EU can be upheld.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

• explicit informed consent has been obtained;
• the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
• the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation. Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

Personal data may be transferred outside Switzerland if the destination country offers an adequate level of data protection. The Federal Council maintains and publishes a list of such countries as Annex 1 to the ODP. It should be noted that, under Swiss data protection law, remote access to data residing in Switzerland from outside of Switzerland is also considered a transfer/disclosure abroad.

The Federal Council deems, inter alia, the data protection legislations of all EEA countries as well as of the United Kingdom to be adequate. However, the countries covered by an adequacy decision of the European Commission do not fully correspond to those considered as adequate by the Federal Council.

In the absence of legislation that guarantees adequate protection, personal data pertaining to individuals may be disclosed abroad only if at least one of the following conditions is fulfilled:

• Data protection clauses in an agreement between the controller or the processor and its contractual partner that ensure an adequate level of data protection. The use of such clauses must be notified to the FDPIC beforehand.
• Specific guarantees drawn up by the competent federal body that ensure an adequate level of data protection. The use of such guarantees must be notified to the FDPIC beforehand.
• Standard data protection clauses that the FDPIC has approved, issued or recognised beforehand. On 4 June 2021, the European Commission had issued new Standard Contractual Clauses (SCC). According to the FDPIC, these new SCC can also be used to safeguard cross-border data transfers from Switzerland to countries without an adequate level of data protection, provided they are (slightly) amended to comply with the FADP. “Old” safeguards based on the former SCC may no longer be used. Contrary to the former FADP, the FDPIC does not have to be notified about the implementation of SCC anymore. Other safeguards still have to be notified.
• Binding corporate rules that ensure an adequate level of data protection in cross-border data flows within a single legal entity or a group of affiliated companies. Such rules must have been approved by the FDPIC or by the authority responsible for data protection in a country that guarantees an adequate level of protection.
• The data subject explicitly consents to the particular data export.
• The disclosure is directly connected with the conclusion or performance of a contract between the controller and the data subject or between the controller and its contracting partner in the interest of the data subject.
• The disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal rights before a court or another competent foreign authority.
• The disclosure is required in order to protect the life or the physical integrity of the data subject or of a third party and it is not possible to obtain the data subject's consent within a reasonable period of time.
• The data subject has made the personal data generally accessible and has not expressly prohibited its processing.
• The data originates from a register provided for by law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation are met in the specific case.

Violations of certain obligations regarding cross-border transfers of personal data are subject to sanctions (see here).

Regarding cross-border data transfers to the US, the EU and the US have established a new “EU-US Data Privacy Framework” (as successor of the invalidated EU-US Privacy Shield). On 10 July 2023, the EU Commission issued an adequacy decision for the EU-US Data Privacy Framework as the US would ensure an adequate level of protection for personal data transferred from the EU to organisations in the US that are included in the “Data Privacy Framework List”. Therefore, a transfer of personal data from the EU to a US company certified under the EU-US Data Privacy Framework no longer requires additional safeguards pursuant to the GDPR. While neither the EU-US Data Privacy Framework nor the adequacy decision by the EU directly impact data transfers from Switzerland to the US, the FDPIC took, for the time being, note of these developments. It may be anticipated that the Swiss authorities will aim at establishing a similar framework in the foreseeable future.

The privacy notice to data subjects must set out the extent to which personal data will be transferred to others.

Cross-border transmissions of personal data are regulated by the PDPA. The Taiwan authorities may restrict the cross-border transmission and use of personal data in the following circumstances:

• when a substantial interest of Taiwan is at stake;
• as provided under an international treaty or agreement (as at December 10, 2021, there are no such treaties or agreements in place);
• when the receiving country lacks proper laws or regulations adequately to protect personal data or where infringement of the rights and interests of the data subject is threatened; or
• the purpose of the transfer is to evade the application of the PDPA.

The Taiwan National Communications Commission (NCC) issued an order in 2012 prohibiting communications enterprises from transferring subscribers’ personal data to mainland China; the Ministry of Health and Welfare issued an order in 2022 prohibiting social worker offices from transferring data subjects’ personal data to mainland China; and the Ministry of Labor issued an order in 2023 prohibiting private employment services institutions and employment service agencies for people with disabilities from transferring data subjects’ personal data to mainland China, all on the grounds that the personal data protection laws in mainland China are still inadequate. As at December 18, 2023, there are no other restrictions or prohibitions on the cross-border transfers to any other country / area.

Transfer of personal data is allowed if the rights and freedom of the data subject are not violated. With regard to cross-border transfers of personal data the PDPL does not impose any restrictions on the data controller if the foreign country provides adequate protection of personal data.

Where there is no adequate protection of personal data, a cross border transfer is permitted in the following cases:

• The data subject’s consent is obtained
• The transfer is provided pursuant to an international treaty recognized by Tajikistan, or
• The transfer is necessary for the purpose of protecting citizens rights and freedom, health and morality and public order of the state

The PDPA permits the transfer of personal data outside Tanzania only on the following circumstances:

• to a country that has a legal framework that provides for adequate personal data protection (i.e. essentially equivalent levels of protection to that within Tanzania) provided the recipient has established that:
  1. such personal data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller; or
  2. the importance of the transfer and there is no reason to assume that the subject's legitimate interests may be prejudiced by the transfer or the processing in the recipient country.¹

The data controller must carry out a provisional evaluation on the need to transfer such personal data² and ensure the recipient of the data only processes the relevant information in the data and for the purpose for which the data was transferred.³ The recipient of the data must also ensure that the necessity for the transfer of the personal data can be subsequently verified:⁴

• to any other country with appropriate safeguards on the security and protection of personal data provided the data is transferred solely to permit processing authorised to be undertaken by the controller;⁵
• to a country which does not have the adequate level of protection provided the transfer is in accordance with specifications issued by the Minister responsible for Information, Communication and Information Technology, the data subject has consented to such transfer and the transfer is necessary for:
  • the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the request of the data subject;
  • conclusion or performance of a contract concluded or to be concluded the controller and another person in the interest of the data subject;
  • or legally required on public interest grounds or the institution, trial defence of a legal claim;
  • protecting the legitimate interests of the data subject; and
  • the transfer is made in accordance with the law and is aimed to provide information to the public and is open for public consultation in general or by anyone who can demonstrate a legitimate interest, to submit their opinion in accordance with a procedure laid down by law.⁶

Prior to the transfer of personal data outside Tanzania, the data controller or processor must apply for and obtain a permit from the Commission.⁷ The application is made using a prescribed form which must be accompanied with proof that:

• the recipient country has ratified an international agreement providing requirements for the protection of personal data;
• there is an agreement between Tanzania and the recipient country regarding the protection of personal data; or
• there is a contractual agreement between the person requesting the personal data and the recipient of the personal data who is outside Tanzania.⁸

The Data Controller may not use or disclose Personal Data without consent unless it has been exempted from the consent requirement (i.e. on the grounds of other legal bases of processing). The recipient of the Personal Data must not disclose the Personal Data for any other purposes other than as previously notified to the Data Controller when requesting for the Personal Data.

In the event that the Data Controller uses or discloses Personal Data which is exempt from the consent requirement (i.e. other legal basis of processing), the Data Controller must maintain a record of such use or disclosure in the manner prescribed under the PDPA, for example the record must be kept in a written or electronic format.

Processing between Data Controllers and Data Processors

As the Data Processor will be carrying out activities only pursuant to the instructions given by the Data Controller, the PDPA imposes an obligation on the Data Controller to ensure that there is a data processing agreement in place between the Data Controller and Data Processor governing the activities of the Data Processor. 

Cross-border transfer

Personal Data may not be transferred outside of Thailand, unless the recipient country or international organisation has adequate personal data protection standards in the Regulator’s view and the transfer is in accordance with the rules prescribed by the Regulator. Exemptions may apply such as in the following cases:

• the data subject has given consent and proper notification has been given by the Data Controller;
• the transfer is necessary for the performance of a contract between the Data Controller and data subject; or
• the transfer is necessary in order to protect the vital interests of the data subject. 

According to the subordinate regulation regarding the criteria for protecting Personal Data sent or transferred abroad issued on 25 December 2023, the cross-border transfer rules do not apply to the sending and receiving of Personal Data as an intermediary for data transit or data storage that has technical measures to protect unauthorized access from third parties, such as cloud computing services.

As the relevant subordinate regulations have already been issued, the Regulator may soon issue the list of destination or data receiving countries which are considered to have adequate personal data protection standards pursuant to the PDPA.

Transfer between group companies may be exempt from the above requirement if the international transfer is to an organisation within the same group / affiliated business and such transfer is for joint business operations. Nevertheless, the personal data protection policy of such group companies or so called the binding corporate rules (BCR) must be approved by the Regulator. The relevant Data Controller or Data Processor may submit the BCR to the Regulator for approval via post or electronic channel as prescribed by the Regulator.

However, in the absence of a BCR or a decision on the adequate personal data protection standards of the destination country, the Data Controller or Data Processor may transfer Personal Data to another country if it provides appropriate measures as prescribed by the subordinate regulation. Such measures must, for instance, be legally enforceable and binding on all relevant parties, uphold the data subject rights and complaint, and implement the security measures as prescribed by the PDPA.

The subordinate regulation further prescribes that the appropriate measures may be in  the form of contract, certification, or provisions in the bill, or binding agreement between Thai and international governmental bodies.

In addition, the subordinate regulation stipulates that the appropriate measure in a form of contract must have either of the following characters:

1. the contract must rely on the international form of contract i.e. ASEAN Model Contractual Clauses for Cross Border Data Flow, Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to the European Union regulation or GDPR, or the standard contractual clauses for sending or transferring of Personal Data of other international organisation as prescribed by the Regulator; or
2. the contract must contain some provisions as prescribed by the Regulator. For example, in case of contract between the Data Controller and Data Controller, the receiving party must inform the transferring party of data breach incident within 72 hours upon becoming aware; or in case of contract between the Data Controller and Data Processor, the receiving party must contact the transferring party if there is any data subject’s right request, and it must delete the Personal Data obtained as requested by the transferring party.

The transfer requirements may have an impact on multinational organisations that routinely transfer data cross border. However, given that many organisations in Europe will already comply with similar (and likely more stringent) data protection laws, the impact of the PDPA may be limited regarding cross–border transfer of data.

None.

Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the laws in the recipient country povide safeguards for the personal information comparable to those provided by Trinidad and Tobago law.

In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago. Such list has not been published to date.

Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for private bodies, at a minimum, it must require that personal information under the custody or control of a private organization not be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates.

Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following General Privacy Principles:

• An organization shall be responsible for the personal information under its control.
• The purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
• Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
• Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
• Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual.
• Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
• Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
• Sensitive personal information is protected from processing except where specifically permitted by written law.
• Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law.
• Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law.
• The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
• Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.

The transfer of personal data is treated in the 5th Chapter of the 2004 Act on the protection of personal data (Articles 47 to 52), and is generally prohibited or subject to strict measures, including prior authorization (submitted to the National Authority for Protection of Personal Data), and the explicit consent of the person in question, which is mandatory. The transfer of personal data to a foreign country is prohibited whenever it may endanger public security or Tunisia's vital interests.

The international transfer of personal data may not take occur if the foreign country does not provide an adequate level of protection. In every case, the authorization of the Instance is required before the transfer of personal data. The Instance shall issue its decision within one month from the date of receipt of the application.

When the personal data to be transferred concerns a child, the request is submitted to the family judge.

In its Decision No. 3 of September 5, 2018, the INPDP issued a non-exhaustive list of countries that represent an adequate level of protection of personal data, and to which the transfer is a priori possible, but always subject to obtaining the authorization of the INPDP.

According to Article 90 of Organic Law no. 2004-63 of July 27, 2004,

“Anyone who: .... - transfers personal data abroad without the authorization of the Authority; ...”.

The LPPD distinguishes between the transfer of personal data to third parties in Turkey and the transfer of personal data to third countries.

Transfer of personal data to third parties

In principle, personal data can be transferred to third parties with the explicit consent of the data subject. The conditions and exemptions applied to collection and processing of personal data also apply to the transfer of personal data to third parties.

Transfer of personal data to parties in third countries

In addition to the conditions and exemptions applied to the transfer of personal data to third parties, one of the following conditions shall exist for transfer of data to parties in third countries:

• There is an adequacy decision, given by the Personal Data Protection Board, about the country, international organization or sectors within the country where the transfer will be made. 
• The data controllers and data processors in Turkey and in the target country shall undertake protection in writing and obtain the Personal Data Protection Board's permission; and
• Data controllers and data processors shall sign BCRs and obtain the approval of the Personal Data Protection Board.
• Data controllers and data processors shall sign standard contractual clauses that are prepared and announced by the Personal Data Protection Board and notify the Personal Data Protection Board within 5 business days following its signature. 
• Public institutions / organizations abroad or international organizations and public institutions / organizations in Turkey or professional organizations in the nature of a public institution shall execute an agreement that is not in the nature of an international agreement, and obtain the Personal Data Protection Board's approval. 

Moreover, in the absence of an adequacy decision or the appropriate safeguards, which are listed above, data controllers and data processors may transfer personal data abroad in incidental and non-repetitive manner, only in one of the following cases:

• The data subject gives explicit consent to the transfer and is informed about the possible risks of the cross-border data transfer; 
• The transfer is necessary for the performance of a contract between the data subject and the data controller; 
• The transfer is necessary for the implementation of pre-contractual measures taken upon the request of the data subject;
• The transfer is necessary for the establishment or performance of a contract between the data controller and another party for the benefit of the data subject;
• The transfer is necessary for an overriding public interest;
• The transfer is necessary for the establishment, exercise or protection of a right; 
• The transfer is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; or
• The transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests the transfer.

For the purposes of cross-border transfers of personal data, the relevant consent of owner of personal data is required. Since the Data Protection Law does not stipulate on whether this should be a separate consent, it is recommended to obtain such consent together with a general consent on collection and processing of personal data. 

Please note that personal data transferred outside Turkmenistan shall also be stored in the territory of Turkmenistan. Personal data processed for the purpose of statistical and/or scientific analysis shall be de-personalized. 

Data operator is not allowed to transfer personal data outside Turkmenistan to a third party by virtue of a contract on collection and/or processing of personal data.

International transfers

The DPR restricts the transfer of Personal Data out of the ADGM to a jurisdiction outside of the ADGM, or to an international organisation. Transfer is interpreted broadly and covers not only an act of sending, but also making available Personal Data to an individual or organisation in another jurisdiction. This includes transfer to onshore UAE based recipients.

There are various ways in which Personal Data can be legitimately transferred outside of the ADGM. Those are as follows:

1. transfer on the basis of an adequacy decision. The list of adequate jurisdictions can be found on the ADGM website. Note that these may be updated from time to time as the Commissioner will monitor for any changes in law which could impact an adequacy decision. When making its assessment the Commissioner will take account of the factors set out at Section 41(2) DPR;
2. transfer on the basis of appropriate safeguards without the need for Commissioner approval for the transfer. Those include the following (provided always that the Controller or Processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available):
   
   1. a legally binding and enforceable instrument between public authorities;
   2. binding corporate rules (BCRs);
   3. standard data protection clauses adopted by the Commissioner of Data Protection (available online). Those are broadly based on the recently issued EU SCCs;
   4. a Commissioner approved code of conduct pursuant to Section 37 DPR together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects' rights; or
   5. a Commissioner approved certification mechanism pursuant to Section 39 DPR together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects'.

The Commissioner does not require exporters relying on (i) – (v) above to conduct a detailed analysis of the laws of the importing jurisdiction, but recommends that exporters conduct due diligence on importing entities to ensure that they are capable of meeting their commitments under (i) – (v) above (as applicable).

3. where the Commissioner has given its approval to:
   
   1. contractual clauses between the Controller or Processor and the Controller, Processor or the recipient of the Personal Data outside of ADGM or the international organisation; and
   2. provisions to be inserted into administrative arrangements, including regulatory memorandums of understanding between public authorities or domestic or international bodies which include enforceable and effective Data Subject rights; or
4. transfers made on the basis of the set out under Section 44 DPR (some of which are subject to additional qualifications):
   
   1. the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
   2. the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject's request;
   3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
   4. the transfer is necessary for important reasons of public interest;
   5. the transfer is required by law enforcement agencies of the UAE in accordance with Applicable Law (as defined under the DPR);
   6. the transfer is necessary for the establishment, exercise or defence of legal claims (including judicial, administrative, regulatory and out-of-court procedures); or
   7. the transfer is necessary in order to protect the vital interests of the Data Subject or of another person, where the Data Subject is physically or legally incapable of giving consent.

As per Article 26 DPL, Personal Data may be transferred out of the DIFC:

• to a country or jurisdiction that has been determined to have adequate protections (available on the DIFC Commissioner for Data Protection website); or
• if it takes place in accordance with Article 27 DPL. 

Article 27 DPL provides that:

A transfer or a set of transfers of Personal Data to a Third Country (i.e. Anywhere other than the DIFC, including onshore UAE) or an International Organisation (as defined within the DPL) may take place on condition that:

• the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2), set out below)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
• one of the specific derogations in Article 27(3) (set out below) applies; or
• the limited circumstances in Article 27(4) (set out below) apply. 

Article 27 (2) DPL provides that the appropriate safeguards referred to at (a) above may be provided for by:

• a legally binding instrument between public authorities;
• Binding Corporate Rules (i.e. Personal Data protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members to comply, and which contain provisions for the protection of such Personal Data);
• standard data protection clauses adopted by the Commissioner (available on the DIFC website); The DIFC SCCs are a synthethised set of SCCs modelled on the EU Model Clauses and UK IDTA. They do not however take a modular approach;
• an approved code of conduct pursuant to Article 48 together with binding and enforceable commitments of the Controller or Processor in the third country or the International Organisation to apply the appropriate safeguards, including regarding a Data Subject’s rights; or
• an approved certification mechanism pursuant to Article 50 DPL together with binding and enforceable commitments of the Controller or Processor in the Third Country or the International Organisation to apply the appropriate safeguards, including regarding Data Subjects' rights. 

Article 27 (3) DPL sets out the following derogations:

• a Data Subject has explicitly consented to a proposed transfer, after being informed of possible risks of such transfer due to the absence of an adequacy decision or appropriate safeguards;
• the transfer is necessary for the performance of a contract between a Data Subject and Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
• the transfer is necessary for the conclusion or performance of a contract that is in the interest of a Data Subject between a Controller and a third party;
• the transfer is necessary for reasons of Substantial Public Interest;
• the transfer is necessary or legally required in the interests of the DIFC, including in the interests of the DIFC Bodies relating to the proper discharge of their functions;
• the transfer is necessary for the establishment, exercise or defence of a legal claim;
• the transfer is necessary in order to protect the vital interests of a Data Subject or of other persons where a Data Subject is physically or legally incapable of giving consent;
• the transfer is made in compliance with applicable law and data minimisation principles from a register that is:
  
  • intended to provide information to the public; and
  • open for viewing either by the public in general or by any person who can demonstrate a legitimate interest;
• subject to Article 28 DPL (which sets out the requirements for data sharing with public authorities), the transfer is:
  
  • necessary for compliance with any obligation under applicable law to which the Controller is subject;
  • made at the reasonable request of a regulator, police or other government agency or competent authority;
• the transfer is subject to international financial standards, the transfer is necessary to uphold the legitimate interests of a Controller recognised in international financial markets, except where such interests are overridden by the legitimate interests of the Data Subject relating to the Data Subject's particular situation; or
• the transfer  is necessary to comply with applicable anti-money laundering or counter-terrorist financing obligations that apply to a Controller or Processor or for the prevention or detection of a crime. 

Article 27(4) DPL provides that where a transfer could not be based on one of the aforementioned bases (including those at (a) –(k) (thereby making data transfers more flexible under the DPL), such transfer to a Third Country or an International Organisation may take place only if:

• the transfer is not repeating or part of a repetitive course of transfers;
• concerns only a limited number of Data Subjects;
• is necessary for the purposes of compelling legitimate interests pursued by the Controller that are not overridden by the interests or rights of the Data Subject; and
• the Controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of Personal Data. 

Under such circumstances the Controller is required to inform the Commissioner of any such transfer and to inform the Data Subject of the transfer and the compelling legitimate interests.

Patient Health Information may only be transferred to a third party located in a jurisdiction outside DHCC if:

1. an adequate level of protection for that Patient Health Information is ensured by the laws and regulations that are applicable to the third party; and
2. the transfer is either:
   • authorized by the Patient; or
   • necessary for the ongoing provision of Healthcare Services to the Patient.

A jurisdiction shall be considered to have an adequate level of protection if that jurisdiction is listed as an acceptable jurisdiction under the Dubai International Financial Center Data Protection Law No. 1 of 2007 or has the written approval of the Central Governance Board.

As noted above, DHA’s regulations regarding Policy for Health Data Protection and Confidentiality 2022 may now override the transfer provisions of the HDPR.

Data transfers out of the UAE may be subject to different laws.

The PDPL imposes limitations on the international transfer of Personal Data to outside of the UAE.  Similar to the concept of the “adequate jurisdictions” in the EU, the Data Office is expected to approve certain territories as having sufficient provisions, measures, controls, requirements and rules for protecting privacy and confidentiality of personal data. There are also various other exceptions which exporters can rely on, although further details are awaited from the Data Office.

Article 10 of the SVF Regulation requires that customer data (including customer identification and transaction records) are stored and maintained in the UAE.

Article 13 of the ICT in Health Fields Law requires that  Health Information and data related to the health services provided in the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health.  Federal Ministerial Decision No 51 of 2021 Cases Allowing the Storage and Transfer of Medical Data and Information Out of the State, outlines the circumstances in which such Health Information may be transferred outside of the UAE. The Federal level also requirements need to be considered against various Emirate level policies, procedures and guidance documents which, depending upon the location of the relevant parties, patients and the nature of the activities being performed may also impact the collection, processing and international transfer of health information. 

In addition, in circumstances where telecommunications service providers provide subscriber information to affiliates or third parties directly involved in the supply of the telecommunications services ordered by a subscriber, the third parties are required to take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information, and use such information only as needed for the provision of the requested services. Telecommunications service providers are required to ensure that the contracts between them and any affiliate or third party holds the other party responsible for the privacy and protection of the subscriber’s information (TDRA Consumer Protection Regulations v2.0, Article 24.9).

Section 19 of the Data Protection and Privacy Act permits for personal data to be processed or stored outside Uganda provided that:

• the country in which the data is processed or stored has adequate measures in place for the protection of personal data which are  at least equivalent to the protection provided under the Act; or
• the data subject has consented.

Regulation 30(2) of the Data Protection and Privacy Regulations prohibits any further transfer of personal data processed outside Uganda to a third country without the consent of the data subject.

Under Regulation 30(4), the Personal Data Protection Office is required to specify the countries with adequate or equivalent protection for purposes of data transfer. This publication is yet to be released by the Office.

In accordance with Data Protection Law, personal data may be transferred to foreign parties when there is an appropriate level of protection of personal data in the respective state of the transferee. Pursuant to the Data Protection Law, such states include member states of the European Economic Area, signatories to the EC Convention on Automatic Processing of Personal Data, and states whose regulators of financial markets are signatories to the IOSCO (International Organization of Securities Commissions) Multilateral Memorandum of Understanding of concerning Consultation and Cooperation and the Exchange of Information. The list of the states ensuring an appropriate level of protection of personal data will be determined by the Cabinet of Ministers of Ukraine.

Personal data may be transferred abroad based on one of the following grounds:

• Unambiguous consent of the personal data subject;
• Cross-border transfer is needed to enter into or perform a contract between the personal data owner and a third party in favor of the data subject;
• Necessity to protect the vital interests of the data subject;
• Necessity to protect public interest, establishing, fulfilling and enforcing of a legal requirement;
• Non-interference in personal and family life of the data subject, as guaranteed by the data owner.

Transfers of personal data by a controller or a processor to third countries outside of the United Kingdom are only permitted where the conditions laid down in the UK GDPR are met (Article 44).

The United Kingdom Government has the power to make an adequacy decision in respect of a third country under the UK GDPR (Article 45). This power is equivalent to the similar authorities granted to the EC has under the EU GDPR and involves the Secretary of State making a positive determination that the third country provides for adequate level of data protection, following which personal data may be freely transferred to that third country (Article 45(1)). On 21 September 2023, the United Kingdom Government adopted its adequacy decision for the UK Extension for the EU-US Data Privacy Framework, in which an adequate level of protection for personal data transferred the UK to US companies that have joined the framework is ensured in accordance with UK GDPR Art. 45. Currently, the following countries or territories enjoy UK adequacy decisions (these have all essentially been 'rolled over' from the EU GDPR): Andorra, Argentina, Canada (with some exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Eastern Republic of Uruguay, United States (if certified under the UK Extension to the EU-US Data Privacy Framework) and New Zealand. The UK is also treating all EU and EEA Member States as adequate jurisdictions. The United Kingdom has the power to make its own adequacy decisions and is considering new candidates for UK adequacy.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available (Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and standard contractual clauses with additional safeguards to guarantee an essentially equivalent level of protection to data subject’s and their personal data¹.  

Schedule 21 to the DPA provides that the EU Commission approved standard contractual clauses may continue to be used for transfers under the UK GDPR, until such time as they replaced by clauses issued by the UK Government. Note that the standard contractual clauses carried into UK law are those which were in use as at the end of 2020. It is expected these will be updated during the course of 2021.

Article 49 of the UK GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

• explicit informed consent has been obtained;
• the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
• the transfer is made from a register which according to domestic law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the United Kingdom (Article 48) are only recognised or enforceable (within the United Kingdom) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the United Kingdom; a transfer in response to such requests where there is no other legal basis for transfer will infringe the UK GDPR.

Transfers from the EU to the UK

The UK is now a third country for the purposes of Chapter V of the EU GDPR. 

On 28 June 2021, the EU adopted adequacy decisions in relation to the UK, recognising that the UK offers an equivalent level of protection of personal data as compared to the EU. This therefore enables personal data to flow freely from the EU to the UK.

There are, generally, no geographic transfer restrictions that apply in the US, except regarding the storing of some governmental records and information. However, the HIPAA Privacy Rule requires that covered entities not disclose protected health information outside the US without appropriate safeguards.

Executive Order 14117 

Additionally, on February 28, 2024, Executive Order 14117 'Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern' (EO), set forth that '[i]t is the policy of the United States to restrict access by countries of concern to Americans’ bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States.' Under the EO, the Attorney General is authorized to determine and identify classes of transactions that 'pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data.' In this context 'sensitive personal data' includes covered personal identifiers (such as SSN, passport and government IDs), personal financial data, personal health data, precise geolocation data, biometric identifiers, and human 'omic data or a combination thereof. However, it is important to note that the EO does not broadly set forth general bulk transfer restrictions, but is focused on regulating specific transfers that could be of concern to national security. 

Pursuant to the EO, following its Advance Notice of Proposed Rulemaking (ANPRM) publication in the Federal Register on March 5, 2024, and subsequent Notice of Proposed Rulemaking (NPRM) from October 21, 2024, the Department of Justice (DOJ) issued its Final Rule to implement EO 14117 (Rule) to the EO. The Rule sets forth definitions, countries of concern, in-scope covered persons and defines prohibited, restricted, and transactions exempt under the Rule. In addition the Rule addresses the relevant processes to obtain licenses to authorize otherwise prohibited or restricted transactions, provides protocols for the designation of covered persons, and sets forth requirements related to advisory opinions, and recordkeeping, reporting, and other audit and due diligence obligations applicable to covered transactions. The Rule will come into effect 90 days from the date of the Rule’s publication, with certain requirements (eg, due diligence, reporting, and auditing requirements) coming into effect 270 days after publication.  The DOJ announced that it intends to publish additional compliance, enforcement, and other practical guidance and clarifications. Such supplemental guidance will be located at www.justice.gov/nsd/data-security.

Final Rule to implement Executive Order 14117

Under the Rule certain highly sensitive transactions are prohibited in their entirety ('prohibited transactions'), while other classes of transactions are restricted but permitted to the extent they comply with predefined security requirements to mitigate the risk of access to certain high-risk 'bulk data' by 'countries of concern' ('restricted transactions'). The Rule prohibits or limits U.S. persons from knowingly engaging in prohibited and restricted transfers that pose an unacceptable risk of providing 'countries of concern' or 'covered persons' access to US government-related data or bulk sensitive personal data as such terms are defined under the EO and Rule. Accordingly the Rule:

• classifies:
  • prohibited, restricted, and exempt transactions
  • countries of concern to which the prohibitions and restrictions apply
  • covered persons to which the prohibitions and restrictions apply, and
• identifies and establishes:
  • the processes for licensing and advisory opinions
  • threshold for applicability of the prohibitions and restrictions on covered data 
    transactions involving bulk sensitive personal data
  • recordkeeping, auditing reporting, and other compliance requirements, and
  • enforcement mechanisms including civil penalties 

Key Definitions and Classifications under the Rule

Countries of Concern

The Rule identifies six countries as countries of concern:

• China (including Hong Kong and Macau)
• Cuba
• Iran
• North Korea
• Russia, and
• Venezuela 

Sensitive Personal Data

Under the Rule the definition of sensitive personal data includes covered personal identifiers (e.g., names linked to device identifiers, Social Security numbers, driver’s license, or other government identification numbers), precise geolocation data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof.

Notably, the definition categorically excludes public or nonpublic data that does not relate to an individual, including trade secrets or proprietary information (that meet the relevant definition), data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (eg, court records) or via widely distributed media (ie, sources generally available to the public via unrestricted access), personal communications, and information or informational materials, including ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.

Bulk Data

The term 'bulk' refers to any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the prior 12 months, regardless whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign or covered person:

• human genomic data collected or maintained on more than 100 U.S. persons
• human 'omic data collected or maintained on more than 1,000 U.S. persons
• biometric identifiers collected or maintained on more than 1,000 U.S. persons
• precise geolocation data collected or maintained on more than 1,000 U.S. devices
• personal health data collected or maintained on more than 10,000 U.S. persons
• personal financial data collected or maintained on more than 10,000 U.S. persons
• certain covered personal identifiers collected or maintained on more than 100,000 U.S. persons
• any combination of the above data types that meets the lowest threshold for any category in the dataset

Bulk U.S. Sensitive Personal Data

The term 'bulk U.S. sensitive personal data' means a collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds the applicable threshold set forth above.

Covered Data Transaction

A 'covered data transaction' is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:

• data brokerage
• a vendor agreement
• an employment agreement, or
• an investment agreement

U.S. persons engaged in data brokerage with foreign persons who are not covered persons must comply with minimum conditions, including putting in place contract terms that prohibit the foreign person from subsequently reselling or providing access to the transferred data to countries of concern or covered persons.

Prohibited Transactions

The Rule provides for four categories of ‘prohibited transactions,' including:

• covered data transactions involving data brokerage with a country of concern or covered person,
• transactions involving any access by a foreign person to government-related data or bulk U.S. sensitive personal data and that involves data brokerage with any foreign person that is not a covered person unless the U.S. person agrees to certain contractual and reporting obligations.

The Rule further specifically prohibits:

• transactions involving access by a country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human `omic data, or to human biospecimens from which bulk human `omic data could be derived, and
• any transaction that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the Rule’s provisions.

The Rule also prohibits conspiring to violate the Rule.

Restricted Transactions

The Rule provides for three categories of 'restricted transactions':

• vendor agreements
• employment agreements, and
• non-passive investment agreements

In contrast to 'prohibited restrictions,' the rule permits 'restricted transactions,' provided that certain security requirements developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), are met to mitigate the risk of access by any 'countries of concern' or 'covered persons.' Restricted transactions involving access by countries of concern or covered persons to 'bulk U.S. sensitive personal data' or 'U.S. Government-related data' must comply with separate security requirements developed by CISA in coordination with the DOJ. Accordingly, CISA has also published its own security requirements. CISA's security requirements include data-level and organizational- and-covered system-level requirements.

Reporting Requirements

Under the Rule, certain U.S. persons must comply with reporting requirements to demonstrate compliance and safeguard national security. These include:

• annual reports filed by U.S. persons engaged in restricted transactions involving cloud-computing services, if they are 25% or more owned, directly or indirectly, by a country of concern or covered person
• reports by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage
• reports by U.S. persons engaged in a covered data transaction involving data brokerage with a foreign non-covered person if the U.S. person knows or suspects that the foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern or covered persons, and
• reports by U.S. persons invoking the exemption for certain data transactions that are necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern.

Personal data can only be transferred to a third party:

• for the compliance of purposes directly related to the legitimate interest of the transferring party and the transferee; and
• with the data subject's prior consent. Such consent may be revoked. Additionally, the data subject must be informed of the purpose of the transfer, the identity of the transferee, and the purposes for which the personal data will be used

The data subject's prior consent is not necessary if the individual’s data to be transferred is limited to: name, surname, identity card number, nationality, address, and date of birth.

The purpose and proper identification of the transferee must be included in the consent communication that would be addressed to the data subject. Evidence of the data subject’s consent must be kept in the files of the data processor.

If the data subject’s consent is not obtained within ten business days (counted from the receipt of the communication from the data processor asking for the consent), it will be construed that the data subject did not consent to the transfer of the data.

Upon the transfer, the data processor will remain jointly and severable liable for the compliance of the transferee obligations under the Data Protection Act.

The Data Protection Act forbids the transfer of personal data to countries or international entities which do not provide adequate levels of data protection (according to URCDP). However, the Data Protection Act allows international transfer to unsafe countries or entities, when the data subject consents to the transfer (such consent must be given in writing), or when the guarantees of adequate protection levels arise from “contractual clauses”, and “self regulation systems”. The international data transfer agreement must establish the same levels of protection which are effective under the laws of Uruguay.

In the case of a cross‑border transfer within a group of companies, Uruguayan laws establish that the international transfer will be lawful without any authorisation whenever the branch has the same conduct code duly registered before the local URCDP.

The international transfer of personal data between headquarters and their respective branches or subsidiaries is authorised when the headquarters and their branches have a conduct code duly filed before URCDP.

The Law on Personal Data defines the cross-border transfer of personal data as the transfer of personal data by the owner / operator outside the territory of the Republic of Uzbekistan. Cross-border transfer of personal data is allowed only to the territory of foreign states providing adequate protection of the rights of personal data subjects. At present, it is unclear which states will qualify as providing “adequate” protection, as no list of such countries has been adopted yet by the regulatory authorities.

Nevertheless, cross-border transfer of personal data is still possible even if the foreign state does not provide the adequate protection. Such transfer is possible in 3 exceptional cases:

• the subject explicitly agrees to such transfer;
• there is a need to protect the constitutional order of Uzbekistan, the public order, rights and freedoms of citizens, health and morality of the population;
• if such transfer is stipulated by the international treaty of Uzbekistan.

The Law on Personal Data also determines that cross-border transfer of personal data may be prohibited or restricted in order to protect the constitutional order of the Republic of Uzbekistan, morality, health, rights and legitimate interests of citizens, and to secure defense of the country and national security.

According to the general principles dictated by the TSJ, there is a protection against the transfer of data to States whose legislation does not guarantee a level of protection similar to the one described. 

In addition, in terms of labor law, the employee's consent is required to transfer personal data to third parties. There are companies that voluntarily develop their own data protection policies or apply their headquarters policies or international standards for this matter.

In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including group companies), the data controller they must inform the data subjects and obtain prior explicit consent from such data subjects. In particular, the traders or organizations collecting and using the consumer’s personal information on an E-commerce website must have specific mechanisms for the data subjects to choose the permission or refusal of using their personal information to send advertisements and introduce products and other commercial information.

In cases of cross-border transfers, the PDPD defines cross-border personal data transfer as any activity involving the use of cyberspace, electronic equipment, electronic means or other forms to transfer personal data of Vietnamese citizens to a location outside Vietnam. The use of a location outside Vietnam to process Vietnamese citizens’ personal data is also considered cross-border transfer of personal data, including:

1. Organizations, enterprises or individuals transferring personal data of Vietnamese citizens to organizations, enterprises or management bodies located overseas for processing in accordance with the purposes consented by the data subjects;
2. Processing of personal data of Vietnamese citizens by use of automated systems located outside of Vietnam by the controller, controller-processor or processor in accordance with the purposes consented by the data subjects.

Given the foregoing, the transfer of personal data to other companies which are located overseas or processing of personal data of Vietnamese citizens merely by servers located overseas, without any local presence in Vietnam, are both considered cross-border transfer of personal data and subject to relevant requirements of the PDPD, notably the preparation and submission of the TIA to the authority.

The TIA shall be made available at all times for the inspection and evaluation by the A05 / the MPS. In addition, the transferor shall send one original copy of the TIA to the A05 according to a standard form issued under the PDPD within 60 days from the date of the personal data processing. The A05 will then appraise the TIA and request the transferor to revise the dossier in case it finds that the TIA is incomplete. Moreover, any change to the TIA’s contents must be submitted to the A05 within 10 days from the date of request.

In addition to the above requirements, it is worth noting that data localization could also be imposed on certain businesses providing services in Vietnam. The data localization requirements are provided in certain legal documents, e.g.:

• According to Decree 147, onshore electronic general information pages (i.e. aggregated pages) and onshore social networks must use “.vn” as their main domain and store service users’ data in servers identified by IP addresses in Vietnam.
• The Cybersecurity Law requires that domestic or foreign cyberspace service providers carrying out activities of collecting, exploiting / using, analysing and processing data being personal information, data about service users' relationships and data generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the Government. In particular, according to Article 26 of the Decree 53, domestic and foreign enterprises providing telecoms and online services to customers in Vietnam may be required to locally store certain customer-related data in Vietnam for a certain period prescribed by law if the authority alerts them that their services / online platforms have been used to commit violations of Vietnam’s laws but such online service providers fail to remedy the situation upon the request of the authority. According to the latest version of the Decree 53, while all domestic organizations providing telecoms services and online services to customers in Vietnam would be required to store their customer data in Vietnam, the foreign organizations which could be subject to the foregoing data localization requirements only include those engaging in the following 10 services: (i) telecommunications; (ii) data storage and sharing in cyberspace; (iii) supply of national or international domains to service users in Vietnam; (iv) E-commerce; (v) online payment; (vi) intermediary payment; (vii) transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) providing, managing or operating other information in cyberspace in the form of messages, phone calls, video calls, email or online chats. Pursuant to Decree 53, only the following types of data is required to be stored in Vietnam:
  • Data on personal information of service users: i.e. data on information in the form of symbols, letters, numbers, images, sounds, or equivalent to identify an individual (“Personal Data”);
  • Data created by service users in Vietnam: i.e. data on information in the form of symbols, letters, numbers, images, sounds, or equivalent reflecting the process of participating, operating, and using cyberspace of service users and information on devices and network services used for connection with cyberspace in the territory of the Socialist Republic of Vietnam. It should be noted that the information under this category of data which is required to be stored in Vietnam only includes information on service account name, service usage time, credit card information, email address, IP addresses for the latest login and logout, registered phone number associated with account or data (“Account Data”); and
  • Data on the relationships of service users: i.e., data on information in the form of symbols, letters, numbers, images, sounds, or equivalences reflecting and identifying relationships of service users with other people in cyberspace. Decree 53 further specifies that the information under this category of data which is required to be stored in Vietnam only includes information on friends and groups with which the service user connects or interacts in cyberspace (“Relationship Data”).

Moreover, foreign enterprises engaging in the abovementioned services are also required to establish branches or representative offices in Vietnam in case the authority alerts them that their services / online platforms have been used to commit violations of Vietnam’s laws but failed to remedy upon the request of the authority. The time for such establishment shall commence when the enterprises receive the request to do so until such enterprises terminate their operation in Vietnam or the prescribed services are no longer available in Vietnam.

Under the Data Law, there are no specific restrictions on cross-border data transfers, except in the case of a foreign law enforcement or judicial agency’s request for data related to a Vietnamese organization or individual which shall be considered and decided by local authorities. Although restrictions on the transfer of “core” or “important” data from Vietnam to other countries were removed from the draft law prior to adoption, the Data Law stipulated that such transfers of “core” or “important” data must ensure national defense and security, protection of national interests, public interests, and the rights and lawful interests of data subjects and data owners, in accordance with Vietnamese laws and international treaties to which Vietnam is a party. The Data Law broadly defines “Important data” as data that impact national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety, while “core data” means important data that directly affects national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety. Detailed lists of “important” data and “core” data will be issued by the prime minister and a guiding decree detailing the regulations of the Data Law, including notably cross-border data transfers, will be issued by the government (intended for April 2025).

Transfer of personal data and sensitive personal data is subject to certain restrictions under the DPA. The DPA provides that personal data must be processed and stored on a server or data centre located in the Republic. The Minister may however prescribe categories of personal data that may be stored outside the Republic. The powers of the Minister notwithstanding, sensitive personal data must be processed and stored in a server or data centre located in the Republic. 

Furthermore, the DPA provides that Personal data other than personal data categorised by the Minister may be transferred outside the Republic where:

• the data subject has consented and
  • the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Data Protection Commissioner; or
  • the Minister, has prescribed that transfers outside the Republic is permissible; or
• the Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of necessity. 

Additional exceptions for the transfer of personal data outside the Republic are provided for, including:

• in case of an emergency, to a particular person or entity engaged in the provision of health services or emergency services;
• where the data subject has explicitly consented to that transfer of sensitive personal data; and
• to a particular international organisation or country which complies with the DPA, where the Data Protection Commissioner is satisfied that the transfer or class of transfers is necessary for any class of data controllers or data subjects and does not hamper the effective enforcement of the DPA.     

According to section 28 of the Act, data controllers may not transfer personal information to a third party in a foreign country unless an adequate level of protection is ensured. This adequacy is assessed based on the circumstances surrounding the transfer, including the nature of the data, the purpose and duration of processing, the recipient, the recipient country's data protection laws, and professional rules and security measures.

Data controllers must notify the Authority of any intention to transfer or share data outside of Zimbabwe.