Was recently updated.

Transfers outside the EU with adequate protection

Any controller wishing to transfer personal data outside the European Union must first ensure that the country of final destination offers an adequate level of protection. If the destination country's level of protection can be considered adequate, there can be transfers as if they took placewithin the EU itself.

Nevertheless, the general principles of the GDPR (including legitimacy, compatibility of the communication of data to a third party with the original processing, information to data subjects) must always be observed.

The adequacy of the level of protection of countries outside the EU is assessed on the basis of a number of criteria, including general and sector legislation of the country in question and its professional rules.

Which countries offer an adequate level of protection?

The European Commission is authorised to establish whether a country offers an adequate level of protection, and has done so for the following countries:

- Andorra;
- Argentina;
- Canada (commercial organisations);
- Faroe Islands;
- Guernesey;
- Israel;
- Isle of Man;
- Jersey;
- New Zealand;
- Switzerland;
- Uruguay; and
- the United States of America (limited to the Privacy Shield framework).

For all additional information or for the last updates of the list of countries offering an adequate level of protection, it is strongly recommended to consult the European Commission’s website.

The European Commission issued on 26 July 2000 its adequacy decision regarding the Safe Harbor principles. But the Court of Justice of the European Union declared on 6 October 2015 this decision invalid with the Schrems judgment. This implies that companies could no longer only refer to that decision as legal framework for their data transfers. Subsequently the Safe Harbor principles where replaced by the EU-US Privacy Shield. The EU-US Privacy Shield was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016.