Data transfers on the basis of an adequacy decision

Data transfers on the basis of an adequacy decision are envisaged in Article 45 of the GDPR. Transfers may be made when there is a decision of the European Commission which ensures that transfers to third countries, territories or one or two specific sectors in the third country or an international organisations ensures an adequate level of protection.

The whole purpose of the adequacy decision by the Commission is to formally confirm with binding effects on a Member States that the level of data protection in a third country or an international organization is equivalent to the level of protection in the European Union. Basically, it is achievable through a combination of rights for individuals and obligations on those, who process data, or who control that processing. However, data protection rules can only be effective, if they are followed in practice. Moreover, efficient enforcement mechanisms are of utmost importance to the effectiveness of data protection rules.

When assessing the adequacy of the level of protection, the European Commission considers things like rule of law, respect for human rights and fundamental freedoms, existence of and effective functioning of an independent supervisory authority in the third country and the international commitments the third country or international organisation has entered into.

Basically, the analysis of adequate protection has two elements: the content of the rules that apply and the means used to ensure their application. The European Commission is tasked to verify that the rules in place are effective in practice.

It is necessary to mention that third country’s legal framework is also vital – specific rules addressing the relevant aspects of the fundamental right of data protection should be present.

In order to be more precise, in order to ensure that the level of protection in a third country or international organisation is equivalent to the one guaranteed by the EU legislation, these factors should be taken into account:

A third country’s or international organisation’s system must contain the following basic content and enforceable data protection principles and mechanisms:

1.Content principles

1) Concepts – basic data protection concepts and principles should exist;

2) Grounds for lawful and fair data processing – personal data has to be processed in a lawful, fair and legitimate manner;

3) Purpose limitation principle – personal data is processed for a specific purpose;

4) Data quality and proportionality – personal data should be accurate and kept up to date;

5) Security and confidentiality principle – data is processed in such a way that ensures security of personal data;

6) Transparency – each individual has to be informed about all the elements and stages of the processing, in a clear, easily accessible, concise, transparent and intelligible form.

7) Right of access, rectification, erasure and objection

8) Data retention – data should be kept no longer than it is necessary;

9) Restriction on onward transfers

2. Mechanisms

1) Competent Independent Supervisory Authority – one or more independent supervisory authorities tasked with monitoring, ensuring and enforcing compliance with data protection and privacy rules in the third country should exist and has to act in a complete independence.

2) The data protection system should ensure a high degree of accountability and awareness among data controllers and data processors.

3) Accountability – data controllers and/or those processing personal data should be obliged to comply with the data protection rules in the third country.

4) Provision of support and help to individuals – they should be able to pursue legal remedies, thus supervision mechanisms, allowing independent investigation of complaints and punishment for violations of privacy have to be present.

If the country in question meets all of the abovementioned criteria, then the European Commission may decide that the country offers an adequate level of protection and an Adequacy decision may be adopted. From this moment on, data can be transferred with another company in that third country without the data exporter is being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to a transmission of data within the EU.

So far, the European Commission has adopted adequacy decisions for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America.  As of July 2018, the EU and Japan has successfully concluded the negotiations related to the adoption of an adequacy decision. The latter will be adopted in the upcoming months.