Information security
Adequate level of protection
In order to transfer personal data to a third country from the EU without any special permission or need to take additional safeguards, the third country needs to have an adequate level of protection according to the European Commission.
Adequate level of protection according to the European Commission
According to the GDPR, a third country is a country outside the EU/EEA area. Only the European Commission can take such a decision. In other words, an individual company cannot consider that third country to provide an adequate level of protection, but only the European Commission. Note that it does not necessarily have to be an entire third country that has an adequate level of protection, but the decision on this may apply, for example, to a certain territory within the third country’s borders.
Basis for the European Commission's adequacy decision
There are several factors that the European Commission analyses when deciding whether a third country has an adequate level of protection or not. For example:
- Laws of the third country.
- International obligations of the third country.
- The possibilities for data subjects to obtain a judicial remedy;
- How the third country responds to human rights.
- Whether the third country has an independent supervisory authority for data protection rules;
The European Commission is continuously updating its list of third countries that it has considered as providing an adequate level of protection.
Regular audits
Just because the European Commission has taken a decision that a third country has an adequate level of protection, does not mean that this will always be the case. The European Commission must review the decision on a regular basis. The review takes place at least once every four years and may be amended.
Transfer of personal data from the EU to the US
In the 2020 Schrems II judgment, the CJEU annulled the Privacy Shield and its Adequacy Decisions. As a result, the United States did not have a sufficiently high level of protection to be considered as having an adequate level of protection. One of the reasons was the access to personal data that authorities in the United States had. Subsequently, the EU and the US began negotiations on the EU-U.S Data Privacy Framework (EU-U.S DPF).
It is now allowed to transfer personal data from the EU to the US, if the recipient is covered by the EU-U.S Data Privacy Framework decided by the European Commission in 2023. However, it may be allowed even in cases where the recipient is not connected to the DPF, but in such cases the company needs to take appropriate additional protective measures. For example, binding corporate rules. Another safeguard is the use of standard contractual clauses.
Transfers to the UK after Brexit
The UK has been a third country under the GDPR since 2021 when it left the EU. Later in 2021, the European Commission took the decision that the UK has a sufficiently high level of protection, i.e. an adequate level of protection. The decision allows personal data from the EU to be transferred there without any additional safeguards or special permission, as if the UK were another EU country.
More information about Transfer personal data to third countries
Transfer personal data to third countries in specific situations and in the case of occasional transfers
It may be permissible to transfer personal data to a third country in certain situations, even if that third country does not have an adequate level of protection or the company takes additional safeguards such as entering into the EU Commission’s standard contractual clauses. For example, if the company receives explicit consent from the data subject. Please note that the company must inform the data subject of the risks that such a transfer to a third country entails if the third country lacks an adequate level of protection or appropriate safeguards are not taken from the company.