Personal data can be transferred outside of the EEA. According to the GDPR, which transfers outside the EEA are always lawful?

Personal data can be transferred outside of the EEA. According to the GDPR, which transfers outside the EEA are always lawful?

A. Transfers based on the laws of the non-EEA country concerns

B. Transfers falling under World Trade Organization rules

C. Transfers governed by approved binding corporate rules (BCR)

D. Transfers within a global corporation or organization

View Answer

Answer: C

Explanation:

Transfers based on the laws of the non-EEA country concerned. Incorrect. This would also require an adequacy decision confirming that those laws are sufficient.

Transfers falling under World Trade Organization rules. Incorrect. WTO only covers free trade of goods and services.

Transfers governed by approved binding corporate rules (BCR). Correct. Binding corporate rules approved by a supervisory authority involved make the transfer lawful. (Literature: A, Chapter 7; GDPR Article 47)

Transfers within a global corporation or organization. Incorrect. This would also require that they adopt official binding corporate rules.

Reference: https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en