Not adequate countries are a severe risk for Personal Data transfer
Not Adequate
Countries beyond EU/EEA and not meeting adequacy criteria require additional guarantees to create an appropriate level of data protection.Just because a country does not meet the adequacy criteria, it does not mean Personal Data cannot be processed in that country. However, it does mean that Data Controller using a Data Processor from a third country - must ensure the appropriate level of protection is guaranteed.
A full spectrum of these obligations is listed in the Article 48.
Transfer of Personal Data to a third country is possible. But the burden of compliance and relevant security of vendors and their vendors falls on the Data Controller. This responsibility becomes even more complex with the Schrems II[1][2] ruling. The Data Controller needs to assess the laws of the country you are transferring personal data to.
The easiest way to achieve this is by selecting vendors from EU/EEA or adequate countries.