You can only transfer personal information to another country if that is done safely. Countries are safe if the law says they are safe, or if the European Commission has declared them to be safe.
The law deems that the countries of the European Economic Area are safe. That means that the twenty seven countries of the European Union plus Iceland, Liechtenstein and Norway (and the UK during the transition period) are all ‘safe’ countries to send personal data.
In addition, the European Commission has issued what are called ‘adequacy decisions’ in respect of the following countries meaning they are ‘safe’ countries to send data to as well. Those countries are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
What about the USA?
Lots of organisations in the EU need to share personal data with organisations in the USA in order to carry on doing business the way they want. For example, many cloud hosting platforms are based in the US as well as social media companies and SAAS platforms.
Organisations in the USA used to be deemed ‘safe’ to share data with if they were signed up to the Privacy Shield Framework. However, a court decision in July 2020 has deemed the Privacy Shield Framework is not safe enough for the personal information of EU citizens and, therefore, the USA is now deemed an unsafe location to send personal information (but carry on reading).