The transfer can be defined as any communication, copy or movement of personal data intended to be processed in a country outside the European Union.

Data transfers outside the European Union are prohibited as a matter of principle.

Articles 44 to 49 of the GDPR provide for exceptions to this prohibition. They provide for the use of tools to control this transfer:

• an adequacy decision by the European Commission regarding certain countries ensuring an adequate level of protection;

• standard contractual clauses (SCC) of the European Commission;

• internal company rules (BCR);

• specific contractual clauses (considered to comply with the European Commission's model clauses);

• standard contractual clauses adopted by a supervisory authority and approved by the European Commission;

• an approved code of conduct (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards);

• an approved certification scheme (including a binding and enforceable commitment by non-EU recipients to apply appropriate safeguards);

• an administrative arrangement or a legally binding and enforceable text taken to enable cooperation between public authorities (Memorandum of Understanding or MMOU, international convention, etc.).

Derogations are provided for in Article 49 of the GDPR. If a derogation justifies the transfer, the nature of the derogation must be indicated and, if necessary, the assessment of the circumstances of the transfer and the appropriate guarantees must be detailed.