International transfers of personal data

EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway.

When personal data is transferred outside the European Economic Area, special safeguards are foreseen to ensure that the protection travels with the data.

The reform of EU data protection legislation adopted in 2016 offers a diversified toolkit of mechanisms to transfer data to third countries: adequacy decisions, standard contractual rules, binding corporate rules, certification mechanism, codes of conduct, so-called "derogations" etc.

While the architecture of the international transfers' regime is similar to that under the 1995 Data Protection Directive, the reform simplifies and expands the use of existing mechanisms and introduces new tools for international transfers.

Having completed the reform of EU data protection legislation, the Commission has adopted a strategy on promoting international privacy standards. Its Communication of 10 January 2017 presents its approach in developing adequacy decisions as well as other tools for transfers and international data protection instruments.