Cooperation with service providers from third countries

As the European General Data Protection Regulation applies to all EU member states, nothing stands in the way of data processing within the European Union. However, if data is processed outside the European Union in so-called "third countries", you must check whether there is an adequate level of data protection in the country so that personal data is also well protected there. 

The GDPR regulates the "transfers of personal data to third countries or international organisations" in Chapter 5 (Articles 44 to 50 GDPR).

Art. 44 GDPR - General principle for transfers

1. Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 
2. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

Art. 45 GDPR - Transfers on the basis of an adequacy decision

1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation
2. […]

What does that mean?

A transfer to a third country outside the EU is only permitted if the European Commission has recognised the third country as having an adequate level of protection. 

Countries with an adequate level of protection

From the European Commission's perspective, Norway, Liechtenstein and Iceland are on an equal footing with the EU member states. The European Commission has also recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom under the General Data Protection Regulation and the LED, the United States (commercial organisations participating in the EU-US data protection framework) and Uruguay as providing adequate protection.

A list of the current countries can be found on the EU Commission's website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Countries without an adequate level of protection

If a transfer of personal data to countries not included in this list is planned, the only option is to use the so-called "EU standard contractual clauses" or other sufficient guarantees. The standard contractual clauses are a model contract issued by the European Commission. With these contracts, the service provider in the third country undertakes to comply with European data protection standards. If these model contracts are used, personal data can be transferred to third countries without further authorisation from the supervisory authorities.

A template of the EU standard contractual clauses can be found on the website of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en