The European General Data Protection Regulation is one of the most comprehensive and advanced data protection laws in the world. It applies to the processing of personal data of citizens of EU member states, even if their data is processed outside the EU. 

You can generally use service providers from an EU member state in your project without any concerns, as the provider is directly subject to the regulations of the GDPR. However, as soon as you use service providers based outside the EU, compliance with the GDPR can no longer be guaranteed without further ado.

The European Commission has certified individual countries as having an equivalent level of data protection via a so-called "adequacy decision". The transfer of personal data to these countries is not subject to any restrictions:

• Andorra
• Argentina
• Canada (commercial organisations)
• The Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• United Kingdom under the General Data Protection Regulation and the LED
• United States of America (commercial organisations participating in the EU-US data protection framework)
• Uruguay 

The current list of countries with an adequacy decision can be found at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

If you use a service provider that is not based in any of the countries listed, you must ensure that the personal data is still adequately protected by the provider. This is only possible through additional guarantees on the part of the service provider. 

One option is the so-called EU standard data protection clauses. These are a set of contracts provided by the European Commission. With this contract template, providers can bind themselves to the data protection regulations. Corresponding information from the EU can be found at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

In this case, however, you should urgently seek data protection and legal advice. 

You can find a detailed description of the issue in our course "basic course data protection" -> "The GDPR explained".

Source: Megan Rexazin on Pixabay