When data is transferred outside of your organisation to another EU country it is always recommended that you put a contract in place that specifies the conditions of the data transfer. Besides all EU member states, personal data can also be transferred between the EU and three EFTA countries: Norway, Liechtenstein and Iceland as third countries with recognised adequacy for data protection.
Additionally, the European Commission has so far accepted Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection of personal data. Since 2016, it has once again allowed the transfer of data between the EU and the USA through the Privacy Shield mechanism. Prior to this, an arrangement entitled the Safe Harbour scheme facilitated such transfers. It was in 2015, the safe harbor scheme was deemed inadequate because data protection laws are very different in the US and there is no law that operates at federal level. The fear that sharing data with the USA could mean that data subjects would have less protection over their personal data than in the EU. For instance, insufficient protection in place to prohibit data being stored without robust security measures; used without the data subjects' knowledge or sold to other companies without protection in place.
When personal data is being transferred outside of the company or organisation and the country of processing is not in the EU or on the list of countries mentioned, a contract that contains specific clauses that relate to data protection should be used. The clauses that relate to data protection should include a description of which personal data is being transferred; what type of processing activities will be allowed under the contract; what the responsibilities of each of the parties (controller/processor) are and what procedures will be followed in case of a data breach occurring. If you do business with other countries that are still not recognised by the EU as having adequate data protection then either a contractual agreement with data protection clauses or Binding Corporate Rules must be used.
Binding Corporate Rules, is method that can be used to facilitate the transfer of data across countries but only in the case of a group of companies or an organisation that operates in different regions across the globe that belong to the same organisation. These rules will need to be approved by a data protection authority before that can be put into operation. Binding Corporate Rules are generally adopted by large companies that operate in multiple countries to transfer data between these locations and they outline the key principles and criteria for the protection of personal data BCRs can be extremely time consuming to create, agree upon internally and then put into effect across the countries involved, with the additional hurdle that they will also need to be approved by the data protection authority in the EU. That said, it is generally accepted that Binding Corporate Rules is the best option when data is being transferred between different entities of the same parent company and a contractual agreement is usually most suitable for data transfer to external parties within small to medium companies.