A controller or processor must not transfer data for processing to a third country or international organisation unless the level of protection for the rights and freedoms of data subjects is adequate.
The level of protection is adequate if the European Commission has decided by means of an implementing act under Article 45 of the GDPR, there are safeguards in place that meet Art.67 of the DPJL or the transfer falls within the exceptions set out in Schedule 3 of the DPJL. Article 67 sets out those safeguards, which include binding corporate rules that comply with Schedule 4.
These restrictions are in place to ensure that the level of protection of individuals afforded by the DPJL is not undermined when transferring their data outside the Bailiwick.
Art.66 states that the transfer of personal data for processing is not permitted to a third country or international organisation unless that country or organisation ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data.
“(1) A controller or a processor must not transfer personal data for processing or in circumstances where the controller or processor knew or should have known that it will be processed after the transfer to a third country or an international organization, unless that country or organization ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This is part of a series of guidance to help organisations fully understand their obligations, as well as to promote good practice.