Just because a country does not meet the adequacy criteria, it does not mean Personal Data cannot be processed in that country. However, it does mean that Data Controller using a Data Processor from a third country - must ensure the appropriate level of protection is guaranteed.

A full spectrum of these obligations is listed in the Article 48.

Transfer of Personal Data to a third country is possible. But the burden of compliance and relevant security of vendors and their vendors falls on the Data Controller. This responsibility becomes even more complex with the Schrems II[1][2] ruling. The Data Controller needs to assess the laws of the country you are transferring personal data to.

The easiest way to achieve this is by selecting vendors from EU/EEA or adequate countries.

• [1] Schrems II a summary - all you need to know
• [2] Max Schrems / Schrems II