Here is a catch between the options “Loss of personal data” and “Transfer of personal data outside the EU”.
A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.
The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.
Article 46 of GDPR
1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
Article 58 of GDPR
3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).
Submit