Data Protection & GDPR Compliance

At Devoteam Portugal, we are committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR). One of the most critical aspects of compliance is how we transfer personal data outside the European Economic Area (EEA).

A personal data transfer occurs when personal data is sent or made accessible to a country outside the EEA. This includes:

• Sending client or employee data to a non-EEA partner or tool provider;

• Granting remote access to a non-EEA team or service provider;

• Using cloud services where data is stored or processed outside the EEA.

Under the GDPR, personal data transfers outside the EEA can only happen if:

• The third country ensures an adequate level of protection (adequacy decision);

• Appropriate safeguards (like Standard Contractual Clauses – SCCs) are in place;

• A valid derogation applies (e.g. explicit consent from the data subject).

Failure to follow these rules can result in legal and financial consequences for the company and loss of trust from our clients and partners.

Before transferring any personal data outside the EEA, ensure that:

• The transfer is necessary and there’s no local or EEA-based alternative;

• You have notified the Data Protection Coordinator and involved the Data Protection Officer (DPO);

• The tool or partner has signed our Data Processing Agreement (DPA) and, where required, the Standard Contractual Clauses (SCCs);

If the transfer involves special category data or constitutes large-scale data processing, a Transfer Impact Assessment (TIA) must be conducted with the support of the DPO.

A Transfer Impact Assessment (TIA) helps assess:

• The legal and practical level of data protection in the destination country;

• Whether SCCs are sufficient to ensure adequate protection;

• Whether additional safeguards (such as encryption or access controls) are needed.

TIAs are especially critical when data is transferred to a non-EEA country that does not benefit from an adequacy decision by the European Commission.

Always contact the Data Protection Officer before proceeding with any transfer of personal data outside the EEA. Their review and approval are mandatory to ensure GDPR compliance.

Under GDPR Recital 101, personal data can flow freely between countries within the European Economic Area (EEA). These intra-EEA transfers are not considered “restricted transfers” and do not require additional safeguards, as all EEA countries are bound by the same high standards of data protection under the GDPR.

EEA Countries (Total: 30)

• EU Member States (27): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

• EEA-EFTA States (3): Iceland, Liechtenstein, Norway.

No additional contractual clauses or assessments (like SCCs or TIAs) are required when transferring personal data between these countries.

Remember: Although no transfer mechanisms are needed, general GDPR principles still apply — such as purpose limitation, data minimisation, and the need for a valid legal basis for processing.

• Using a U.S.-based tool that hasn’t implemented EU Data Protection safeguards;

• Sharing personal data over email with third parties outside the EEA;

• Providing unrestricted system access to colleagues or contractors in third countries;

• Uploading documents with personal data to platforms not listed as approved by IT/Compliance.

The DPO supports you by:

• Reviewing contracts and transfer mechanisms;

• Offering templates (DPA, SCCs) and guidance;

• Supporting with Transfer Impact Assessments.

If you're unsure whether a transfer is allowed or how to proceed, reach out to Rute Reizinho (Compliance Director & DPO) at pt.compliance@devoteam.com.