Avatar of Grigoriiy Kotkowskiy
Grigoriiy Kotkowskiy asked on

GDPR compliance - not an “adequacy decision” country

Hello!

Our corporate website's server is located in a country that's considered not an “adequacy decision” country, according to GDPR.
I'm aware that GDPR allows that (under certain conditions). It's just I don't understand exactly what must be done to match those requirement. GDPR says: "In the absence of an adequacy decision, the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

Standard data protection clauses: Then some legal mumbo-jumbo that means nothing to me.
Binding corporate rules “BCRs”: Then some legal mumbo-jumbo that means nothing to me.

So as a Data Protection Officer - what exactly should I do (if anything)?
Network Security

Avatar of undefined
Last Comment
madunix

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Dr. Klahn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Grigoriiy Kotkowskiy

Dr.Klahn,
Thanks for your reply!
So basically, it's not a technical question, but a legal one...
And if the company is registered in the UK, then if I were to seek legal advice, I must turn to UK lawyer or any lawyer in EU could do that?
madunix

Consult a Lawyer, GDPR affects any EU citizen/companies data regardless of where the data sits.  
It also addresses the transfer of personal data outside the EU and EEA areas, but here is something from their site where it states it expanded: Increased Territorial Scope (extraterritorial applicability).

This topic has arisen in several high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

The GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

https://eugdpr.org/the-regulation/
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
http://arbitrationblog.practicallaw.com/the-need-for-a-data-protection-protocol-for-arbitration-proceedings/



Your help has saved me hundreds of hours of internet surfing.
fblack61