The European Commission has the power to determine, on the basis of Article 45 of Regulation (EU) 2016/679 (GDPR) whether a country outside the EEA offers an adequate level of data protection.
The procedure for the adoption of an adequacy decision at the EU level involves:
– a proposal from the European Commission;
– an opinion of the European Data Protection Board;
– an approval from representatives of EU countries;
– the adoption of the decision by the European Commission.
At any time, the European Parliament and the Council of the EU may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EEA transmissions of data.
A determination of adequacy of the data protection level may cover the entire territory of the third country, particular controllers and their ambit (in accordance with a specific legal framework, including a national law on data protection), or particular programmes for data exchanges or types of processing.
The European Commission has so far recognised the following 13 countries (listed alphabetically) as providing adequate protection: the Principality of Andorra, the Argentine Republic, Canada, the Faroe Islands, the Bailiwick of Guernsey, the State of Israel, the Isle of Man, Japan, the Bailiwick of Jersey, New Zealand, the Swiss Confederation, the Oriental Republic of Uruguay, the United Kingdom.
These adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by Article 36 of Directive (EU) 2016/680.
In respect of the US, in 2016 the European Commission adopted an adequacy decision on the EU-US Privacy Shield, which was invalidated by a judgment of the Court of Justice of the EU of 16 July 2020. Therefore, data from an EEA country to the US should be transferred through an alternative tool for data transfers to third countries, chosen by the controller/processor, in accordance with the options laid down in Chapter V of the GDPR.
Adequacy talks with South Korea were concluded on 30 March 2021, and on 19 February 2021, the Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, under the GDPR and Directive (EU) 2016/680 (the Law Enforcement Directive), respectively.
Decisions on an adequate level of personal data protection adopted by the European Commission by 20 April 2021:
7. Commission Decision of 28 April 2004 on the adequate protection of personal data in the Isle of Man
28.02.2022
