How does GDPR apply to the transfer of personal data from an EU entity to an international organization?

“Entities subject to the GDPR that exchange personal data with international organisations have to comply with the GDPR, including its rules on international transfers (Chapter V of the GDPR),” says the European Data Protection Board in a response letter to Miguel de Serpa Soares, Undersecretary General for Legal Affairs and UN Legal Counsel.

“The EDPB guidelines on the territorial scope of the GDPR clarify the specific (and limited) obligations of service providers established in the EU that carry out processing on behalf of an entity that is not subject to the GDPR.”

“At the same time … certain questions remain … The European Data Protection Board will explore ways to further clarify how the rules on international transfers under the GDPR apply when personal data is transferred to international organisations. Please note that this may require some time due to the judgment of the Court of Justice of the European Union in case C-311/18 (Schrems II) issued on 16 July 2020.”

Read the full text of EDPB letter.