If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR's requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.

In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an "appropriate safeguard" or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.

The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA.  A full list of the transfer mechanisms can be found in Article 46. 

Click here to download the full PDF version of this client alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.