European Commissions Adequacy Decision – Explained

Explaining European Commissions’ GDPR Adequacy Decisions

The European Union’s GDPR applies to organizations within and outside the EU where countries that aren’t a part of the EU are regarded as third countries.

The GDPR restricts the transfer of a data subject’s personal data to third countries unless security measures of the third country protect their personal data or the data is legally required for processing.

Having an adequacy decision declared for a country means that any data controller or data processor can transfer data from the EU and EEA countries to that third country more easily as the controller or processor does not need to put in additional legal and technical safeguards because the third country’s laws offer similar protection to GDPR.

What is an Adequacy Decision?

This does not require the third country to have exactly the same law as GDPR, but contain sufficient safeguards for the EU to consider it “adequate”.

The European Commission reviews the laws and practises of third countries to check whether they offer the same levels of data protection presently existing within the EU. Essentially, an adequacy decision is a conclusive decision that permits a data transfer across the EU borders without further authorization from the governing authority.

The EU’s executive branch or the European Commission can determine whether a third country has an adequate level of data protection. It means transfers of personal data from the EU to adequate countries can occur without further safeguards.

When it comes to adopting an adequacy decision, certain formalities need to be taken care of:

• An official proposal from the European Commission
• An opinion from the European Data Protection Board
• The explicit approval from the EU countries’ representatives
• The European Commission’s approval of the decision

The EU’s adequacy decision states that personal data can flow from the EU to third countries (adequate countries) without necessary further safeguard.

List of Adequate Countries

As at December 29th 2021, the European Commission has so far recognized the following countries/states as having adequate protection:

• Andorra
• Argentina
• Canada (commercial organizations)
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• United Kingdom
• Uruguay

The countries/states, as mentioned above, can receive the personal data of data subjects from the EU as they have appropriate conditions that safeguard the data once received.