[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f42aFE8eiesNYh88_EEk9taHHLN61fjugh4AGMMc2JVc":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":7,"lang":12,"url":13,"intro":14,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":21,"dateCreation":22,"dateUpdate":23,"mainCategory":24,"categories":44,"metaDatas":50,"imageUrl":7,"imageThumbUrls":51,"id":52},false,"## Definition:\r\n\r\nPersonal data is transferred when personal data is **transferred from European territory to one or more countries outside the European Union**. The transfer may be made by copying, by moving data, via a network or from one medium to another (e.g. from a computer hard drive to a server).\r\n\r\nThree cumulative criteria are necessary to determine whether personal data is being transferred to a third country. This means that if a processing operation meets these three criteria, it will constitute a transfer within the meaning of Chapter 5 of the GDPR.\r\n\r\nThe three criteria are as follows:\r\n\r\n1. A controller or processor is subject to the GDPR for the given processing operation.\r\n2. That controller or processor (\"exporter\") discloses by transmission or otherwise makes available to another controller, joint controller or processor (\"importer\") personal data which is the subject of that processing.\r\n3. The importer is located in a third country or is an international organisation, regardless of whether or not that importer is subject to the GDPR in respect of the processing given in accordance with Article 3.\r\n\r\nOn the other hand, if a processing operation does not meet these three criteria, it will not constitute a transfer within the meaning of Chapter V of the GDPR.\r\n\r\n**Example 1** - A company wishes to outsource the management of its customer telephone reminders to a company located in a country outside the European Union.\r\n\r\n**Example 2** - The employee data of a multinational is centralised by the parent company located in the United States. The personal data of French employees is therefore transferred to the United States.\r\n\r\nAs a matter of principle, data transfers outside the European Union are **prohibited**.\r\n\r\nArticles 44 to 49 of the GDPR provide for **exceptions** to this prohibition. They provide for the use of tools to control such transfers:\r\n\r\n- an **adequacy decision** by the European Commission concerning certain countries ensuring an adequate level of protection ;\r\n- **standard contractual clauses (SCC)** issued by the European Commission;\r\n- **internal company rules (BCR)**;\r\n- **specific contractual clauses** (considered to comply with the European Commission's model clauses);\r\n- **standard contractual clauses** adopted by a supervisory authority and approved by the European Commission,\r\n- an approved **code of conduct** (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),\r\n- an approved **certification** scheme (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),\r\n- an **administrative arrangement** or a legally binding and enforceable text adopted to enable cooperation between public authorities (Memorandum of Understanding or MMOU, international convention, etc.).\r\n\r\n**Article 49 of the GDPR** provides for derogations. If a derogation justifies the transfer, the nature of the derogation must be indicated and, where applicable, the assessment of the circumstances of the transfer and the appropriate safeguards must be detailed.","\u003Ch2 id=\"definition\">Definition:\u003C/h2>\r\n\u003Cp>Personal data is transferred when personal data is \u003Cstrong>transferred from European territory to one or more countries outside the European Union\u003C/strong>. The transfer may be made by copying, by moving data, via a network or from one medium to another (e.g. from a computer hard drive to a server).\u003C/p>\r\n\u003Cp>Three cumulative criteria are necessary to determine whether personal data is being transferred to a third country. This means that if a processing operation meets these three criteria, it will constitute a transfer within the meaning of Chapter 5 of the GDPR.\u003C/p>\r\n\u003Cp>The three criteria are as follows:\u003C/p>\r\n\u003Col>\r\n\u003Cli>A controller or processor is subject to the GDPR for the given processing operation.\u003C/li>\r\n\u003Cli>That controller or processor (\"exporter\") discloses by transmission or otherwise makes available to another controller, joint controller or processor (\"importer\") personal data which is the subject of that processing.\u003C/li>\r\n\u003Cli>The importer is located in a third country or is an international organisation, regardless of whether or not that importer is subject to the GDPR in respect of the processing given in accordance with Article 3.\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>On the other hand, if a processing operation does not meet these three criteria, it will not constitute a transfer within the meaning of Chapter V of the GDPR.\u003C/p>\r\n\u003Cp>\u003Cstrong>Example 1\u003C/strong> - A company wishes to outsource the management of its customer telephone reminders to a company located in a country outside the European Union.\u003C/p>\r\n\u003Cp>\u003Cstrong>Example 2\u003C/strong> - The employee data of a multinational is centralised by the parent company located in the United States. The personal data of French employees is therefore transferred to the United States.\u003C/p>\r\n\u003Cp>As a matter of principle, data transfers outside the European Union are \u003Cstrong>prohibited\u003C/strong>.\u003C/p>\r\n\u003Cp>Articles 44 to 49 of the GDPR provide for \u003Cstrong>exceptions\u003C/strong> to this prohibition. They provide for the use of tools to control such transfers:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>an \u003Cstrong>adequacy decision\u003C/strong> by the European Commission concerning certain countries ensuring an adequate level of protection ;\u003C/li>\r\n\u003Cli>\u003Cstrong>standard contractual clauses (SCC)\u003C/strong> issued by the European Commission;\u003C/li>\r\n\u003Cli>\u003Cstrong>internal company rules (BCR)\u003C/strong>;\u003C/li>\r\n\u003Cli>\u003Cstrong>specific contractual clauses\u003C/strong> (considered to comply with the European Commission's model clauses);\u003C/li>\r\n\u003Cli>\u003Cstrong>standard contractual clauses\u003C/strong> adopted by a supervisory authority and approved by the European Commission,\u003C/li>\r\n\u003Cli>an approved \u003Cstrong>code of conduct\u003C/strong> (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),\u003C/li>\r\n\u003Cli>an approved \u003Cstrong>certification\u003C/strong> scheme (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards),\u003C/li>\r\n\u003Cli>an \u003Cstrong>administrative arrangement\u003C/strong> or a legally binding and enforceable text adopted to enable cooperation between public authorities (Memorandum of Understanding or MMOU, international convention, etc.).\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Article 49 of the GDPR\u003C/strong> provides for derogations. If a derogation justifies the transfer, the nature of the derogation must be indicated and, where applicable, the assessment of the circumstances of the transfer and the appropriate safeguards must be detailed.\u003C/p>\r\n",null,470,3,"Transfer of personal data",0,"en","transfer-of-personal-data","The concept of non-EU transfers","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":7,"blogUrl":7,"color":7,"userId":17,"creationDate":20},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-27T14:37:11.091","2023-12-27T15:37:09.7389583","2025-08-27T09:12:49.178018",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":7,"count":7,"imageUrl":30,"parent":7,"order":11,"translations":31},21,"Glossary","Definition of every word used by Dastra","glossary","#643bb0","https://static.dastra.eu/tag/b308b9d3-37af-4e92-8354-ab8adec1740a/documentation-1000.png",[32,36,40],{"lang":33,"name":34,"description":35},"fr","Glossaire","La définition de tous les termes utilisés dans Dastra",{"lang":37,"name":38,"description":39},"es","Glosario","La definición de todos los términos utilizados en Dastra",{"lang":41,"name":42,"description":43},"de","Glossar","Die Definition aller in Dastra verwendeten Begriffe",[45],{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":7,"count":7,"imageUrl":30,"parent":7,"order":11,"translations":46},[47,48,49],{"lang":33,"name":34,"description":35},{"lang":37,"name":38,"description":39},{"lang":41,"name":42,"description":43},[],[],56355]