Link to home
Start Free TrialLog in
Avatar of Grigoriiy Kotkowskiy
Grigoriiy Kotkowskiy

asked on

GDPR compliance - not an “adequacy decision” country


Our corporate website's server is located in a country that's considered not an “adequacy decision” country, according to GDPR.
I'm aware that GDPR allows that (under certain conditions). It's just I don't understand exactly what must be done to match those requirement. GDPR says: "In the absence of an adequacy decision, the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

Standard data protection clauses: Then some legal mumbo-jumbo that means nothing to me.
Binding corporate rules “BCRs”: Then some legal mumbo-jumbo that means nothing to me.

So as a Data Protection Officer - what exactly should I do (if anything)?
Avatar of Dr. Klahn
Dr. Klahn

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Grigoriiy Kotkowskiy
Grigoriiy Kotkowskiy


Thanks for your reply!
So basically, it's not a technical question, but a legal one...
And if the company is registered in the UK, then if I were to seek legal advice, I must turn to UK lawyer or any lawyer in EU could do that?
Consult a Lawyer, GDPR affects any EU citizen/companies data regardless of where the data sits.  
It also addresses the transfer of personal data outside the EU and EEA areas, but here is something from their site where it states it expanded: Increased Territorial Scope (extraterritorial applicability).

This topic has arisen in several high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

The GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.