"Adequate level of data protection"

Thinking in GDPR includes the need to understand how the legislation extends its reach into other jurisdictions. One good example is the need to think in terms of "data export" and the European Commission's power to determine if a country has an adequate level of data protection.

See details here of which countries have been determined to have an adequate level of data protection:

Adequacy decisions

The list (as at Oct 2019) of countries is:

Andorra
Argentina
Canada (commercial organisations)
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Switzerland
Uruguay
United States of America (limited to the Privacy Shield framework)
Japan (recent)

It is possible to transfer data to a country that doesn't have the designation of having "adequate data protection", but you have to take on the burden of making the whole exchange GDPR-like, see: