CHAPTER 13: MANAGING PERSONAL DATA INTERNATIONALLY
To enforce the Regulation outside the bounds of the EU, the GDPR has a number of elements designed to control how organisations within the EU are able to transfer personal data internationally.
So called “third countries”, those outside the bounds of the EU, are designated under the DPD as “any country other than the EU and EEA Member States”. Given that the Council of Europe includes 17 distinct groups like the EU, EEA, Eurozone and the EFTA, with a complex set of overlaps, it’s critical to understand who “in Europe” you’re allowed to send information to, and what rules need to be in place to do so.
For ease of reference, the EU and EEA countries are shown in Table 2.