IDC Names Securiti a Worldwide Leader in Data Privacy


What Does European Commissions’ Adequacy Decision Mean?

Published January 3, 2022 / Updated November 22, 2023

Listen to the content

Explaining European Commissions’ GDPR Adequacy Decisions

The European Union’s GDPR applies to organizations within and outside the EU where countries that aren’t a part of the EU are regarded as third countries.

The GDPR restricts the transfer of a data subject’s personal data to third countries unless security measures of the third country protect their personal data or the data is legally required for processing.

Having an adequacy decision declared for a country means that any data controller or data processor can transfer data from the EU and EEA countries to that third country more easily as the controller or processor does not need to put in additional legal and technical safeguards because the third country’s laws offer similar protection to GDPR.

What is an Adequacy Decision?

This does not require the third country to have exactly the same law as GDPR, but contain sufficient safeguards for the EU to consider it “adequate”.

The European Commission reviews the laws and practises of third countries to check whether they offer the same levels of data protection presently existing within the EU. Essentially, an adequacy decision is a conclusive decision that permits a data transfer across the EU borders without further authorization from the governing authority.

The EU’s executive branch or the European Commission can determine whether a third country has an adequate level of data protection. It means transfers of personal data from the EU to adequate countries can occur without further safeguards.

When it comes to adopting an adequacy decision, certain formalities need to be taken care of:

  • An official proposal from the European Commission
  • An opinion from the European Data Protection Board
  • The explicit approval from the EU countries’ representatives
  • The European Commission’s approval of the decision

The EU’s adequacy decision states that personal data can flow from the EU to third countries (adequate countries) without necessary further safeguard.

List of Adequate Countries

As at December 29th 2021, the European Commission has so far recognized the following countries/states as having adequate protection:

  • Andorra
  • Argentina
  • Canada (commercial organizations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • United Kingdom
  • Uruguay

The countries/states, as mentioned above, can receive the personal data of data subjects from the EU as they have appropriate conditions that safeguard the data once received.

Maria Khan

Authored by Maria Khan

Maria Khan is a IAPP Certified Information Privacy Professional (CIPP/Europe) and a Certified Information Privacy Manager (CIPM). She earned her LL.M from the University of Michigan Law School, where she received the Michigan Grotius Fellowship, a fully-funded award. Additionally, Maria holds a B.A-LL.B (Hons.) from Pakistan.

Passionate about data privacy, AI governance, and business and human rights, Maria facilitates organizations in evaluating data privacy compliance risks and offers privacy-compliant solutions. She plays a key role in supporting regulatory intelligence within products/software and aiding organizations in meeting compliance efforts. Maria possesses a substantial understanding of global data privacy obligations, particularly in relation to AI governance, consent management, user transparency, digital marketing, cross-border data transfers, and AI risk assessments.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend