Data of EU residents can not be transferred outside of the European Economic Area (EEA) unless certain requirements are met.
Under these circumstances, the nation or area to which the data is being transferred must have an “adequate” level of personal data protection by EU standards. However, transfers may still be allowed to countries that don’t meet these requirements (third counties) with the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).
Only when certain requirements are met and in accordance with the GDPR are data transfers of EU residents outside the European Economic Area (EEA) allowed.
The US is currently considered a third country as there is no active framework in place. President Biden has just signed an executive order, so we may see a few more coming out soon. As for now, you need to make sure you’re doing the following if you’re transferring data to the US:
💡 In order to properly disclose data transfers, you need to include a clause that contains information about the risks involved. You can find this clause in your iubenda dashboard.