Iubenda logo
Start generating


Table of Contents

Disclosing Data Transfers

Data of EU residents can not be transferred outside of the European Economic Area (EEA) unless certain requirements are met. 

Under these circumstances, the nation or area to which the data is being transferred must have an “adequate” level of personal data protection by EU standards. However, transfers may still be allowed to countries that don’t meet these requirements (third counties) with the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).

Only when certain requirements are met and in accordance with the GDPR are data transfers of EU residents outside the European Economic Area (EEA) allowed.

Data transfers to the US

The US is currently considered a third country as there is no active framework in place. President Biden has just signed an executive order, so we may see a few more coming out soon. As for now, you need to make sure you’re doing the following if you’re transferring data to the US: 

  1. Make sure you’re using an a valid data transfer option such as SCCs, BCCs.
  2. Ensure you have users’ informed consent, a requirement for all transfers. User must be clearly informed of the risks associated with the transfer including information on the lack of protection in the third country.

💡 In order to properly disclose data transfers, you need to include a clause that contains information about the risks involved. You can find this clause in your iubenda dashboard.

Disclosing Data Transfers

Don’t have a privacy policy that includes this disclosure?

Generate one now!