OneTrust Certified Privacy Professional Practice Exam

What must an organization ensure when transferring personal data to a third country under GDPR?

• A. High data processing costs
• B. Secure personal data storage
• C. Adequate level of data protection or approved mechanisms
• D. External audits by third parties

The correct answer is: Adequate level of data protection or approved mechanisms

When transferring personal data to a third country under GDPR, an organization must ensure an adequate level of data protection or utilize approved mechanisms. This requirement is pivotal to the GDPR framework, which aims to maintain the same level of data protection as provided under EU law, even when data is processed outside of the EU. Countries or regions outside the EU may not offer an equivalent level of data protection, hence the GDPR stipulates that organizations must conduct a thorough assessment of the receiving country's data protection laws. If the third country does not have adequate protections in place, organizations can rely on alternative mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), which are designed to ensure that data remains protected in accordance with the conditions set out by GDPR. Other considerations, like data processing costs, data storage security, or external audits, while they may play a role in an organization's overall data management strategy, do not directly address the core requirement of ensuring adequate protection during international data transfers under the GDPR. Therefore, the focus on an adequate level of protection or the use of approved mechanisms is essential for compliance and safeguarding individuals' privacy rights when their data is transferred globally.