Third Country

Under GDPR, any country outside the European Economic Area (EEA) that hasn't received an adequacy decision from the European Commission, requiring special safeguards for personal data transfers. Third countries present challenges because their data protection frameworks may not meet EU standards, potentially exposing transferred data to inadequate protections. Transfers to third countries require: an adequacy decision from the Commission (allowing free flow), appropriate safeguards like Standard Contractual Clauses or Binding Corporate Rules, or specific derogations for particular situations (explicit consent, contract necessity, legal claims, public interest, etc.). The Schrems II decision invalidated Privacy Shield and emphasized that organizations must assess whether third country laws (particularly government surveillance laws) undermine transfer mechanism protections. Organizations transferring to third countries should: conduct Transfer Impact Assessments evaluating destination legal frameworks, implement supplementary measures when assessments reveal risks (encryption, pseudonymization, access controls), use appropriate transfer mechanisms, and document transfer decisions. Third country considerations affect cloud service selection, vendor relationships, and group data flows.