International data transfers

When there is no adequacy decision, international transfers may be made when the data controller or data processor establishes the appropriate guarantees, respecting the enforceable rights and with effective legal actions, for example through binding corporate rules or the standard contractual clauses adopted by the European Commission.

If the binding corporate rules and standard clauses are adopted by a control authority, they must be subject to the consistency mechanism provided for in the GDPR.

Finally, the GDPR also provides for a series of cases in which, with the lack an adequacy decision or adequate guarantees, a transfer can be carried out if any of the conditions established in Article 49 are met, for example, when the data subject has explicitly given his/her consent to the proposed transfer, the transfer is necessary for the execution of a contract between the data subject and the data controller, or the transfer is necessary for important reasons of public interest.