Transfers on the basis of an adequacy decision
Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy decision’, Article 45 of the GDPR). A decision by the Commission takes priority over other bases for transfer. The decision can apply to a country outside the European Union or European Economic Area, a territory or sector within such a country, or an international organisation.
Personal data can be transferred directly by virtue of an adequacy decision. No specific authorisation, such as from the Data Protection Ombudsman, is required. Such transfers must nevertheless comply with all provisions of the applicable data protection legislation. The processing of personal data must be lawful before, during and after the transfer.
The Commission reviews adequacy decisions at least every four years. As a rule, decisions made by the Commission before the entry into force of the GDPR remain valid also after the adoption of the Regulation. However, the Commission is free to review these decisions and make new ones as required.
To date, the Commission has issued adequacy decisions for the following countries (links lead to the EUR-Lex web service):
Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK and Uruguay.
Furthermore, the Commission has issued a partial adequacy decision for Canada (commercial organisations).
Adequacy decisions made under the GDPR are not applicable to the transfers of data within the scope of application of the Law Enforcement Directive, and with the exception of the United Kingdom, no adequacy decisions under the Law Enforcement Directive have been made yet. Other transfer instruments in accordance with the Finnish Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security must be used for transfers to third countries.
EU-U.S. Data Privacy Framework
On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision permits the transfer of data from the EU and EEA to participating companies in the US without additional safeguards.
The adequacy decision applies to transfers of personal data made to US companies that have committed to the safeguards specified in the arrangement. The adequacy decision cannot be used as an instrument for the transfer of personal data between public sector entities.
- Adequacy decision for the EU-US Data Privacy Framework (on the commission’s website)
- Frequently asked questions regarding the adequacy decision concerning data protection in the US
- Questions & Answers: EU-US Data Privacy Framework (on the commission’s website)
- EU-US Data Privacy Framework FAQ for European individuals (on the EDPB's website)
- EU-US Data Privacy Framework FAQ for European businesses (on the EDPB's website)
- List of certified organisations committed to the adequacy decision (website under the Federal Trade Commission)
Frequently asked questions regarding the adequacy decision concerning data protection in the United States
The European Commission's decision on the adequacy of data protection in the United States entered into force on 10 July 2023.
By virtue of the decision, organisations located in the European Economic Area (EEA) may transfer personal data to certified US organisations that are committed to complying with the safeguards specified in the adequacy decision. Personal data can be transferred directly on the basis of the adequacy decision without the need for, e.g. the Data Protection Ombudsman's permission.
The adequacy decision improved the rights of EU citizens since the safeguards adopted by the United States apply to all data being transferred to the United States, irrespective of the basis for the transfer. The new safeguards apply to the legal remedies of data subjects residing in the European Economic Area as well as to the proportionality and necessity of US intelligence legislation.
The transfer of personal data out of the EEA always requires a basis provided for in Chapter V of the General Data Protection Regulation. A Commission decision on the adequacy of data protection is one such basis for the transfer of personal data.
A basis for transfer does not give the right to transfer personal data out of the EEA in itself. Rather, the controller must take the requirements of the GDPR as a whole into account. In addition to the GDPR, the controller must also observe other data protection legislation, such as the national Data Protection Act and special legislation applying to certain sectors and data files. Data may not be transferred to a recipient in the United States if the processing as a whole does not meet statutory requirements.
Read more:
Operators in the private, public and non-profit sectors can all transfer data by virtue of the European Commission's adequacy decision. However, the adequacy decision cannot be used as a basis for transfers of data between public-sector organisations, since public-sector organisations in the United States cannot be certified for the framework.
Public-sector organisations located in the EEA cannot transfer data to US public-sector organisations by virtue of the adequacy decision. Therefore, they need some other basis provided in the GDPR for the transfer of personal data.
Read more:
Transfers of personal data out of the European Economic Area
The organisation receiving the data must be listed in the Data Privacy Framework list of certified US organisations compiled by the US Department of Commerce.
- List of certified organisations committed to the adequacy decision: https://www.dataprivacyframework.gov/list
Only organisations under the jurisdiction of the Federal Trade Commission (FTC) or US Department of Transportation (DoT) can be certified as parties complying with the adequacy decision. For example, US authorities, banks and insurance companies cannot be certified for this list.
Transfers of data based on the adequacy decision do not require additional safeguards. However, the controller must comply with other requirements arising from legislation, such as data protection principles, the transparent information of data subjects and the fulfilment of rights.
The use of cloud services involves a number of challenges regarding the use of sub-processors and the definition of the roles of controller and processor. More information on the use of cloud services is available from the European Data Protection Board report (link below).
As a rule, citizens cannot choose whether or not to use public-sector services. Public-sector organisations thus have a special duty of care regarding the choice of service providers, also from the perspective of compliance with data protection legislation.
Read more:
A Commission adequacy decision is one of the bases for transfer listed in the GDPR. The adequacy decision facilitates the transfer of data to certified organisations in the United States. However, in addition to having a basis for transfer, the controller must comply with data protection legislation as a whole.
For example, the controller must assess the risks related to the processing of personal data. A data protection impact assessment must be conducted if the planned processing is likely to cause a high risk to the rights and freedoms of individuals.
The use of cloud services involves a number of challenges regarding the use of sub-processors and the definition of the roles of controller and processor. More information on the use of cloud services is available from the European Data Protection Board's report (link below).
Read more:
- What do organisations need to take into account when processing personal data?
- Impact assessment
- European Data Protection Board report: Coordinated Enforcement Action, use of cloud-based services by the public sector
- List of certified organisations committed to the adequacy decision: https://www.dataprivacyframework.gov/s/participant-search
The data protection authorities assess the legal state prevailing at the time of the complaint. In other words, the adequacy decision is not applied retrospectively. Complaints filed with the authorities will be resolved on a case-by-case basis.
You have the right to access your own personal data. You can ask the organisation which of your data it is processing. You can also ask the organisation to correct, complement or erase your data if it is inaccurate or has been processed in violation of the principles of the adequacy decision.
Where should I file a complaint?
You can monitor the fulfilment of your rights and file a complaint in several ways.
A company certified for the adequacy decision must publish contact details for filing complaints and the contact details of an independent arbitration body. The company must reply to complaints within 45 days.
As a private individual, you can file a complaint
- directly with the organisation that is processing your personal data,
- with the independent arbitration body,
- with the national data protection authority (in Finland, the Office of the Data Protection Ombudsman),
- with the US Department of Commerce (DoC), or
- with the US Federal Trade Commission (FTC).
You can choose any or all of the above-mentioned complaint mechanisms, in any order. You are not obliged to choose a particular mechanism or to proceed in a certain order. If necessary, your matter will be resolved with a decision providing effective remedies.
If none of these appeal or enforcement mechanisms is successful in resolving your complaint, you still have recourse to binding arbitration (the EU-U.S. Data Privacy Framework panel).
You can file a complaint with the national data protection authority. In Finland, this is the Data Protection Ombudsman. The Office of the Data Protection Ombudsman will relay your complaint to the European Data Protection Board, which will pass it on to the United States.
An independent authority based in the United States processes complaints by private individuals concerning transfers of data from the EEA to the United States as well as the use of such data by the US intelligence services.
You can file a complaint even if you are not certain that the US intelligence services have processed your data.
Contact details of the Office of the Data Protection Ombudsman
How will my matter be processed in the United States?
The US government has established a two-tiered appeal mechanism. A complaint will first be investigated by the Civil Liberties Protection Officer of the intelligence services. It is the duty of this official to ensure that the US intelligence services comply with privacy and fundamental rights.
When this official has completed their investigation, you will be notified of the results:
- has the law been broken, and
- how has the potential breach been rectified.
If you are not satisfied with the decision of the Civil Liberties Protection Officer, you can complain about the decision to the Data Protection Review Court (DPRC).
The DPRC has the right to obtain the information necessary for investigating the complaint from the intelligence services. It also has the power to make binding corrective decisions and issue orders, for example on the erasure of data.
When the DPCR investigation has been completed, you will be notified of the results:
- has the law been broken,
- how has the potential breach been rectified.
You will also be notified when further information on the processing of your matter is available at a later date.
The European Commission regularly evaluates the functioning of the EU-US Data Privacy Framework together with European data protection authorities and the representatives of the competent US authorities.
The first evaluation will be conducted within one year of the adequacy decision's entry into force. The evaluation considers the transposition of the adequacy decision to US legislation and determines whether the safeguards are effective in practice.