This episode explores the complexities of international data transfers under GDPR, detailing the criteria established by the European Data Protection Board. It outlines the three criteria to determine when data crossing EU borders qualifies as a transfer under Chapter V of GDPR, along with discussions on adequacy decisions, the EU-US Data Privacy Framework, and practical applications of standard contractual clauses (SCCs). Binding corporate rules (BCRs) and limited exceptions, or derogations, are also explained as methods for legitimate data transfers without adequacy. 00:00 Introduction to International Data Transfers 00:34 Understanding GDPR's Transfer Criteria 01:36 Real-World Examples of Data Transfers 02:08 When Transfers Don't Count 03:23 Green Lights for Data Transfers: Adequacy Decisions 04:00 The EU-US Data Privacy Framework 05:34 Safeguards for Data Transfers 05:49 Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) 07:20 Exceptions and Derogations 11:47 The Importance of Documentation 13:00 Risk Awareness and Conclusion