![The list of countries deemed adequate for GDPR transfers [TABLE]](https://static.dastra.eu/content/4e8d6358-aafc-43bb-8dfa-ba47e22f58eb/la-liste-des-pays-adequats-pour-les-transferts-rgpd-tableau-1000.webp)
Transfer of personal data to countries outside the European Economic Area (EEA) is generally prohibited by default. However, exceptions are provided for by the General Data Protection Regulation (GDPR). One of the key mechanisms to secure such transfers is the recognition of the adequacy of the recipient country by the European Commission. This article aims to provide guidance to Data Protection Officers (DPOs) and other data protection professionals on the list of countries considered adequate by the European Union for transfers of personal data.
Legal framework of Article 45 of the GDPR
Article 45 of the GDPR allows for transfers of personal data to a third country or an international organization when the European Commission has determined that this third country, territory, or one or more specific sectors within that third country, or that international organization, provides an adequate level of protection.
This adequacy decision implies that the third country or international organization offers a level of data protection essentially equivalent to that guaranteed within the EU/EEA. This assessment is based on several criteria, including:
- Respect for the rule of law, human rights, and fundamental freedoms.
- Existence and effective functioning of one or more independent supervisory authorities.
- International commitments of the country or international organization in the field of data protection.
List of adequate countries & adequacy decisions
Here is a detailed description of the countries currently recognized by the European Commission as providing adequate data protection, as well as the corresponding adequacy decisions and a brief description of their local data protection legislation:
| Country | Adequacy Decision | Local Law | Description | URL |
|---|---|---|---|---|
| Andorra | October 19, 2010 | Law 15/2003 on the protection of personal data | Andorran law ensures the protection of personal data and is aligned with the principles of the GDPR. | Commission Decision on Andorra |
| Argentina | June 3, 2003 | Law 25.326 on the protection of personal data | Argentinian law establishes strong principles of data protection, similar to those of the GDPR. | Commission Decision on Argentina |
| Canada | December 20, 2001 | Personal Information Protection and Electronic Documents Act (PIPEDA) | PIPEDA applies to commercial organizations and provides an adequate level of protection. Only commercial organizations are covered by this adequacy decision. Data processing in private sectors such as commerce, financial services, and other commercial organizations are included. |
Commission Decision on Canada |
| Faroe Islands | December 8, 2010 | Law on the protection of personal data | Faroese legislation is in line with the principles of the GDPR, thus ensuring adequate protection. | Commission Decision on the Faroe Islands |
| Guernsey | November 21, 2003 | Data Protection (Bailiwick of Guernsey) Law, 2017 | Guernsey's law is aligned with GDPR standards, ensuring a high level of protection. | Commission Decision on Guernsey |
| Israel | January 31, 2011 | Privacy Protection Act, 1981 | Israeli data protection law is considered to provide adequate protection. | Commission Decision on Israel |
| Isle of Man | April 28, 2010 | Data Protection Act 2002 | The legislation of the Isle of Man complies with European requirements for data protection. | Commission Decision on the Isle of Man |
| Japan | January 23, 2019 | Act on the Protection of Personal Information (APPI) | Japan has implemented additional guarantees to align its data protection with EU standards. | Commission Decision on Japan |
| Jersey | November 21, 2003 | Data Protection (Jersey) Law 2018 | Jersey has laws that comply with EU data protection principles. | Commission Decision on Jersey |
| New Zealand | December 19, 2012 | Privacy Act 1993 (amended in 2020) | New Zealand provides adequate protection of data, with principles aligned with those of the EU. | Commission Decision on New Zealand |
| Switzerland | July 26, 2000 | Federal Data Protection Act (LPD) | Swiss legislation is harmonized with that of the EU, ensuring adequate protection. | Commission Decision on Switzerland |
| Uruguay | August 21, 2012 | Law on Personal Data Protection and Habeas Data (Law No. 18.331) | Uruguay has established robust legislation on the protection of personal data. | Commission Decision on Uruguay |
| United Kingdom | June 28, 2021 | Data Protection Act 2018 | Following Brexit, the UK has obtained an adequacy decision confirming that its data protection laws offer equivalent protection to the GDPR. | Commission Decision on the United Kingdom |
| Republic of Korea | December 17, 2021 | Act on the Protection of Personal Information (PIPA) | The Republic of Korea has implemented measures to align its data protection legislation with GDPR requirements. | Commission Decision on the Republic of Korea |
Adequacy of the United States: the Data Privacy Framework
After the successive invalidations of the Safe Harbor and Privacy Shield frameworks, the European Union and the United States negotiated a new framework for data transfers. The European Commission adopted an adequacy decision for the United States on July 10, 2023.
- Adequacy Decision: July 10, 2023
- Local Law: Data Privacy Framework (DPF)
- Description: The Data Privacy Framework (DPF) was established to address concerns raised by the CJEU regarding government surveillance and remedies for data subjects. It includes binding commitments from U.S. authorities to limit intelligence agencies' access to EU data and provide effective remedies to European citizens. The DPF also relies on a self-certification mechanism where U.S. businesses must commit to comply with the data protection principles defined by the framework and renew this certification annually.
- URL: Commission Decision on the United States
Review and revocation process
Adequacy decisions are not permanent. The European Commission continuously monitors the evolution of laws and data protection practices in third countries and can revoke or suspend an adequacy decision if it considers that the level of adequate protection is no longer ensured.
Practical implications for organizations
The adequacy decision greatly simplifies data transfers to these countries by removing the need for additional safeguards such as standard contractual clauses, binding corporate rules, or codes of conduct. For DPOs, this means reduced administrative burden and increased legal certainty when planning data transfers.
For organizations operating in the EU/EEA, it is important to stay informed about the status of adequacy decisions, as any changes can affect their data transfer strategies. *
Here are some best practices:
- Regular checking: Regularly check the list of adequate countries on the European Commission website to stay up to date.
- Standard contractual clauses: Have alternative mechanisms ready, such as standard contractual clauses, for transfers to countries that may lose their adequacy status.
- Continuous assessment: Regularly assess the risks related to data transfers to third countries, even those recognized as adequate.
European Commission's adequacy decisions report of April 2024
For more information on adequacy decisions and data transfer mechanisms, refer to the European Commission's report published in 2024. This report provides a detailed analysis of data transfer frameworks and current adequacy decisions. It renews decisions for 11 countries.
- Report link: Commission Report (2024)
- Associated press release: European Commission Press Release
How can Dastra help you?
We include the list of countries recognized as adequate by the European Commission in our platform by default and keep it up to date. Moreover, we monitor any necessary updates in case of changes to these adequacy decisions. Through our interactive world map, you can visualize all data transfers and quickly verify their compliance.