GDPR requires a demonstration of an adequate level of data protection equivalent to GDPR standards for cross-border data transfers. Managing Cloud guidance explains that personal data may only be transferred outside the EU/EEA if the receiving country or entity ensures appropriate safeguards.

These safeguards may include adequacy decisions, standard contractual clauses, or binding corporate rules. The goal is to ensure that personal data continues to receive the same level of protection regardless of where it is processed.

Formal consent alone is insufficient, and liability is not transferred exclusively to one party. Therefore, demonstrating adequate protection is the correct requirement.