Transfers on the basis of an adequacy decision
Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy decision’, Article 45 of the GDPR). A decision by the Commission takes priority over other bases for transfer. The decision can apply to a country outside the European Union or European Economic Area, a territory or sector within such a country, or an international organisation.
Personal data can be transferred directly by virtue of an adequacy decision. No specific authorisation, such as from the Data Protection Ombudsman, is required. Such transfers must nevertheless comply with all provisions of the applicable data protection legislation. The processing of personal data must be lawful before, during and after the transfer.
The Commission reviews adequacy decisions at least every four years. As a rule, decisions made by the Commission before the entry into force of the GDPR remain valid also after the adoption of the Regulation. However, the Commission is free to review these decisions and make new ones as required.
To date, the Commission has issued adequacy decisions for the following countries:
Furthermore, the Commission has issued partial adequacy decisions for Canada (commercial organisations).
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield in its judgement in the so called Schrems II case (C-311/18). The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.
The EDPB has adopted a ‘Frequently Asked Questions’ document on the judgement.