Controllers wishing to transfer personal data outside the EEA must first ensure that the country of destination offers an adequate level of protection.
A so-called “adequacy decision” is one of the tools provided for under the GDPR enabling transfers of personal data from the EEA to third countries (article 45 of the GDPR). More specifically, the European Commission has the power to adopt an adequacy decision, setting out that a country, a territory or one or more specified sectors within that third country, or an international organisation offers an adequate level of protection of personal data. Where such a decision has been adopted, the transfer may be carried out in the same manner as if it was carried out within the EEA[1]. The European Commission has issued adequacy decisions for the following countries:
- Andorra,
- Argentina,
- Canada (for transfers to recipients subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA")),
- Faroe Islands,
- Guernsey,
- Israel,
- Isle of Man,
- Japan,
- Jersey,
- New Zealand,
- Republic of Korea,
- Switzerland ,
- United Kingdom
- United States of America (only for companies certified under the EU-US Data Privacy Framework: see next section) and
- Uruguay.
Data exporters should verify that their activities or the categories of data they are processing fall within the scope of the adequacy decision which constitutes a basis for the intended transfer.
[1] Article 45 of the GDPR.