Summary: Personal data needs to remain safe when processed in other countries outside the EU/EEA. If the processing requires exporting personal data outside the EU – and that includes giving access to data to people outside the EU – then it is necessary to describe the appropriate transfer mechanisms and measures that will ensure data will still remain properly protected.

Step 9 describes the appropriate transfer mechanisms that allow the transfer of personal data from the EU to other countries outside the European Economic Area. As explained in step 8, personal data must still be properly protected when it is processed by third parties, especially when processing takes place outside the EU/EEA.

A data transfer also takes place when access to personal data is given to third parties that are subject to the laws and regulations of foreign countries – for example, by granting access to a shared folder.

There are also a few countries where the European Commission has considered that their laws and regulations offer an equivalent protection to personal data. As such, data transfers to such countries are in principle not prohibited – meaning that personal data exported to these countries will still be properly protected. As of 2025, the list of countries so far include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.

Apart from the aforementioned countries, if international data transfers are being planned to countries outside the EU/EEA, these plans should be discussed with the faculty Privacy Officer, in order to define and describe the appropriate transfer mechanisms and measures that will ensure data will still remain properly protected.

If no international data transfers are planned or expected, it can be stated in this step that “There are no planned transfers of personal data to other countries outside the EU”

Previous: Description of Measures to Ensure Compliance By Processors and/or Joint Controllers | Next: Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing