Simply saying that you will comply with these rules is not enough. These model contracts state that you must safeguard the rights of data subjects and provide effective legal remedies. Sometimes this is simply not possible due to privacy regulations in the country where the company is based, such as the US.
Another possibility is to use an approved code of conduct or certification. Of course, the same problem remains with the guarantees and legal remedies. This is also no solution for the US.
For organisations that operate in multiple countries, sometimes so-called binding corporate rules are the solution. These are rules within this international company, between the various international branches. This allows personal data to be transferred internationally. These must first be approved by the European supervisory authority European Data Protection Board (EDPB) .
In this way, for example, you could use a greece telegram data company that has an establishment in the EU, but also in another, inadequate country.
Provide explicit consent
A final option is consent. If a data subject, i.e. the person to whom the personal data relates, gives explicit consent for the transfer of personal data outside the EU, then this is permitted to actually do so.
Also read: No more data to the US: what are the consequences?
Simply stating in the privacy statement that you use services outside the EU/EEA is therefore not sufficient. The fact that someone simply has no objection is also not sufficient. After all, none of this constitutes explicit consent. Furthermore, consent must be freely given. If consent is necessary to be able to use your service or product, it is no longer free consent, but consent has become a condition for being able to use your service or product.
You can only obtain permission if you have obtained separate permission for this processing. For this, the person concerned must perform an active action. Think of checking a box or clicking on a button. Of course, the person concerned must first have received sufficient information.
The permission may not be linked to being able to use certain functions, services or products.
