The European Commission determines whether a country outside the EU offers an adequate level of data protection.
The effect of such a decision is that personal data can flow from the EU to that ‘third country’ without any further safeguards being necessary. Or to put it more simply, transfers to the country will be treated like a transfer within the EU.
Data protection by design and by default should still be applied, but the regulation requires no specific safeguards to protect the international transfer.
The European Commission has so far recognised a number of companies as providing adequate protection. However this list can change regularly and so organisations are advised to check here:
Currently, transferring personal data to the United States of America is considered to have adequate protection by the EU, but only if the specific organisation is covered by the Data Protection Framework for the specific service that the data is being transferred to. Therefore additional due diligence should be undertaken when transferring personal data to the USA. The same cannot be said for the UK where the Data Protection Framework is not yet an accepted safeguard.