To enforce the Regulation outside the bounds of the EU, the GDPR has a number of elements designed to control how organisations within the EU are able to transfer personal data internationally.

So called “third countries”, those outside the bounds of the EU, are designated under the DPD as “any country other than the EU and EEA Member States”. Given that the Council of Europe includes 17 distinct groups like the EU, EEA, Eurozone and the EFTA, with a complex set of overlaps, it’s critical to understand who “in Europe” you’re allowed to send information to, and what rules need to be in place to do so.

For ease of reference, the EU and EEA countries are shown in Table 2.

Table 2: EU and EEA country ...

Get EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.