Transfers outside the EU with adequate protection

Any controller wishing to transfer personal data outside the European Union must first ensure that the country of final destination offers an adequate level of protection. If the destination country's level of protection can be considered adequate, there can be transfers as if they took place between two Belgian controllers or to another EU country.

Nevertheless, the general principles of the Privacy Act (including legitimacy, compatibility of the communication of data to a third party with the original processing, information to data subjects) must always be observed.

The adequacy of the level of protection of countries outside the EU is assessed on the basis of a number of criteria, including general and sector legislation of the country in question and its professional rules.


Pursuant to article 21, § 2 of the Privacy Act, the King has the power to establish for which categories of personal data processing operations and in which circumstances the transfer of personal data outside the EU is not authorised, but he has not used this possibility yet. The evolution of the decisions made by the European Data Protection Authority and EU member states shows, however, that not third countries nor certain processing operations not offering and adequate level of protection are listed ("black list"), but those who do offer such protection ("white list").

Which countries offer an adequate level of protection?

the European Data Protection Authority is authorised to establish whether a country offers an adequate level of protection, and has done so for the following countries: Switzerland, Canada (for processing operations subject to the Canadian Personal Information Protection and Electronic Documentation Act and for airline passenger data), Andorra, Argentina, the United States (for airline passenger data), Guernsey, the Isle of Man, the Faroe Islands de Faeröereilanden, Jersey, Australia (for airline passenger data), Israel, New Zealand and Uruguay.

the European Data Protection Authority issued on 26 July 2000 its decision regarding the Safe Harbor principles. But the Court of Justice of the European Union declared on 6 October 2015 this decision invalid with the Schrems judgment. This implies that companies can no longer only refer to that decision as legal framework for their data transfers.

For all additional information or for the last updates of the list of countries offering an adequate level of protection, it is strongly recommended to consult the European l’Autorité de protection des données's website.