According to the GDPR, data may only be transferred outside the European Economic Area in the following cases:
- To countries, territories and specified sectors (the GDPR also includes international organisations) within a third country for which the European Commission has decided that an adequate level of protection is ensured
- When a guarantee of an adequate level protection of the data to be received has been offered in the form of:
- a legally binding and enforceable instrument between public authorities or bodies
- binding corporate rules (BCR)
- standard data protection clauses adopted by:
- the Commission, in accordance with an examination procedure
- the Catalan Data Protection Authority and approved by the Commission pursuant to the examination procedure referred to in Article 93 of the GDPR
- authorisation from the Catalan Data Protection Authority, on the basis of:
- contractual clauses
- provisions inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
- an approved code of conduct pursuant to Article 40 of the GDPR which includes binding and enforceable commitments of the controller or processor in the third country
- an approved certification mechanism pursuant to Article 42 of the GDPR which includes binding and enforceable commitments of the controller or processor in the third country
- When any of the exceptions provided in Article 49 of the GDPR are applied which permit transfer of the data in the absence of appropriate safeguards for reasons of the interest of the data subject or important reasons of public interest.