Lexicon > Adequacy

IT Lexicon


Transfers of personal data to a country outside the European Economic Area or to an international organization can only take place if the conditions defined in the GDPR are met by the exporter and importer of the data.

The GDPR permits such data transfers provided that a sufficient and appropriate level of data protection is ensured. They must be framed using various legal tools, including:

  • An adequacy decision by the European Commission;
  • Standard contract clauses;
  • Internal company rules;
  • An approved code of conduct;
  • A certification mechanism.

The adequacy decision is the first legal tool for regulating transfers, insofar as it is taken on the basis of an overall examination of the legislation in force in a State, its supervisory authorities and the international commitments it has entered into, by the European Commission.

It allows data controllers and processors to allow the transfer of data without additional requirements from the European Economic Area to the country concerned.

The following non-EU countries have so far received an adequacy decision from the European Commission:

  • Andorra;
  • Argentina;
  • Canada ;
  • Isle of Man;
  • Faroe Islands ;
  • Israel;
  • Japan;
  • Jersey;
  • New Zealand;
  • United Kingdom;
  • Switzerland;
  • Uruguay.

The Commission is monitoring developments in third countries with an adequacy decision to ensure that they continue to provide an adequate level of protection under the GDPR. If necessary, the Commission may repeal, amend or suspend an adequacy decision.

The European Court of Justice (ECJ) may also invalidate the European Commission’s adequacy decisions if it considers that the third state does not provide an adequate level of protection under the GDPR.

It is essential for any importer and exporter of data to ensure that transfers of personal data are compliant with the GDPR.

GDRP Point

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”

Article 45(1) of the GDPR

Point of jurisprudence

The Court of Justice of the European Union (CJEU) reviewed the validity of Adequacy Decision 2016/1250 on the adequacy of protection provided by the EU-US Privacy Shield and found that the requirements of U.S. law, and in particular certain programs allowing access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes (in particular FISA 702 and Executive Order 12333) result in limitations on the protection of personal data that are not circumscribed to meet requirements that are substantially equivalent to those required by EU law, and that this legislation does not provide data subjects with rights of judicial review against U.S. authorities. The Commission’s adequacy decision was then invalidated.

 European Court of Justice, July 16, 2020, No. C-311/18

The Bouchara Law firm assists you in particular in :

  • Making your organization GDRP compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.