As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection.
Third countries’ level of personal data protection is assessed by the European Commission through ‘adequacy findings’, which are binding in their entirety to all Member States. Once the “adequacy” of a third country has been recognised, personal data can be transferred to this country without having to take further protective measures.
The existing adequacy findings will all be grandfathered under the GDPR.
A novelty in the GDPR with respect to adequacy decisions is that they are subject to periodic review, at least every four years, taking into account all relevant developments in the relevant third country.