The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.
The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.
These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.
GDPR defines the conditions for the lawful transfer of personal data outside the EU or the EEA.
The organization shall document all data transfers and the applicable transfer criteria. Data transfers can occur, for example, based on the location of the data system, the data processing partner or the recipient of the data disclosure.