Adequacy Decisions under the GDPR

Adequacy Decisions under the GDPR

***Schrems II update***

In July 2020, the Court of Justice of the European Union ruled that the Privacy Shield adequacy decision for the USA was invalid because of invasive US surveillance programs. You can read more about the background of the case, the decision and the implications here.

Recommended further reading: Schrems II: What next for data transfers

Chapter 5 of the GDPR deals with International Data Transfers and the conditions under which they can take place. Specifically, Article 45 talks about transfers on the basis of an Adequacy Decision. 

Adopting an Adequacy Decision

Adequacy decisions are how the EU determines if a third country has an adequate level of data protection and there are four main steps involved in adopting an adequacy decision.

steps in adopting adequacy decision

When the European Commission assesses whether an adequate level of protection is in place, firstly, they look at things like the rule of law, respect for human rights and fundamental freedoms, access of public authorities to personal data and rules for onward transfer of personal data to another third country or international organisation.

Secondly, they want to see if an effective supervisory authority exists in the country and if that authority has adequate enforcement powers.

Finally, they will look at international commitments the third country has entered into or other legally binding obligations.

Once a third country has an adequacy decision, personal data can travel from the EU to that country without putting any further safeguards in place.

Revoking a Decision?

However, adequacy doesn’t necessarily last forever. At least every 4 years the Commission will review the decision, taking into account relevant developments in the third country. The Commission will also regularly monitor developments in third countries that could affect how the adequacy decision works. They can then appeal, amend or suspend the adequacy decision as necessary.

Lastly, the Commission has to publish a list of sectors, countries, territories and organisations that have adequacy decisions.

We have created a useful poster map for your wall so you can see the current adequacy decisions at a glance (as at June 2020). Download an A4 size PDF of this poster here

Sources and further readings:

European Commission Website

GDPR Article 45

GDPR Recitals 103 – 107