||The European Economic Area. It is made up of the EU member states plus Iceland, Norway and Liechtenstein.
||General Data Protection Regulation. This sets out the data protection rules which apply across the EEA.
||Standard contractual clauses. These are standard clauses you can use when transferring personal data to other countries to make sure you comply with the rules on international transfers and keep that data protected.
||Data protection officer. If you are a public authority or if your core activities involve certain types of large-scale processing, you must have a DPO.
||A European data protection regulator who takes action on behalf of regulators across the EEA. Having a lead authority avoids your having to deal with different regulators and enforcement action in every EEA country where individuals are affected. You will only have a lead authority if you have an office, branch or other establishment inside the EEA.
||The European Commission has the power to determine whether a third country (the UK becomes a third country to the EU GDPR once the transition period ends) has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. The UK Government are currently seeking adequacy decisions from the European Commission to ensure the free flow of data once the transition period ends. We will update our guidance to reflect the outcome of this.