This is why, as a first step, it is necessary to identify the processes that are data transfers outside the EU. In the absence of an adequacy decision, organizations should consider and provide appropriate safeguards (standard contractual clauses or BCRs). The comfort of certification systems and codes of conduct as possible transmission mechanisms should not be underestimated. . . .