Transfers on the basis of an adequacy decision
Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy decision’, Article 45 of the GDPR). A decision by the Commission takes priority over other bases for transfer. The decision can apply to a country outside the European Union or European Economic Area, a territory or sector within such a country, or an international organisation.
Personal data can be transferred directly by virtue of an adequacy decision. No specific authorisation, such as from the Data Protection Ombudsman, is required. Such transfers must nevertheless comply with all provisions of the applicable data protection legislation. The processing of personal data must be lawful before, during and after the transfer.
The Commission reviews adequacy decisions at least every four years. As a rule, decisions made by the Commission before the entry into force of the GDPR remain valid also after the adoption of the Regulation. However, the Commission is free to review these decisions and make new ones as required.
To date, the Commission has issued adequacy decisions for the following countries:
Furthermore, the Commission has issued partial adequacy decisions for Canada (commercial organisations) and the United States of America (the Privacy Shield framework).
Personal data can be transferred to the United States of America under the Privacy Shield framework established in 2016. The framework imposes data protection obligations on US companies and safeguards the rights of data subjects and includes an appeal mechanism for data subjects.
Use of the framework as a data transfer mechanism requires the receiving company to be a certified Privacy Shield company. The registrations are supervised by, for example, the U.S. Department of Commerce. Only companies with adequate data protection principles are admitted into the Privacy Shield framework.
If you want to transfer data on the basis of the Privacy Shield
- Check the Privacy Shield list to see whether the US company in question is a member of the framework. Also check that its registration is active, as it must be renewed on an annual basis.
- Make sure that the framework covers the planned processing activities.
Please note that any transfer of data must also be fully compliant with the GDPR.
If the US company’s registration is no longer valid, you cannot transfer new data to the company under the Privacy Shield framework. The company is nevertheless required to continue securing previously transferred data according to the level of protection guaranteed by Privacy Shield.
Even if the transfer of personal data would not be possible on the basis of the Privacy Shield framework, you may still be able to employ the other transfer mechanisms provided for in Chapter V of the GDPR.