The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

a proposal from the European Commission;
an opinion of the European Data Protection Board;
an approval from representatives of EU countries;
the adoption of the decision by the European Commission.

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.

With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

Adequacy decisions latest

11 April 2023

Joint Press Statement by Didier Reynders, European Commissioner for Justice, and Ko Haksoo, Chair of the Republic of Korea's Personal Information Protection Commission

Read the full Joint Press Statement.

4 April 2023

Joint Press Statement on the conclusion of the first review of the Japan-EU mutual adequacy arrangement

Read the full Joint Press Statement

17 December 2021

Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commis

The Commission has adopted its adequacy decision on the Republic of Korea

17 December 2021

Questions & Answers on the adoption of the adequacy decision ensuring safe data flows between the EU and the Republic of Korea

Questions & Answers on the adoption of the adequacy decision ensuring safe data flows between the EU and the Republic of Korea

Documents

4 APRIL 2023

Report on the first periodic review of the adequacy decision for Japan

English

(448.54 KB - PDF)

4 APRIL 2023

Commission Staff Working Document - Report on the first periodic review of the adequacy decision for Japan

English

(609.12 KB - PDF)

17 DECEMBER 2021

Decision on the adequate protection of personal data by the Republic of Korea with annexes

English

(1.62 MB - PDF)

28 JUNE 2021

Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation

English

(1.04 MB - PDF)

Deutsch
(1.27 MB - PDF)
Download
français
(1.52 MB - PDF)
Download

28 JUNE 2021

Decision on the adequate protection of personal data by the United Kingdom: Law Enforcement Directive

English

(798.68 KB - PDF)

Deutsch
(978.74 KB - PDF)
Download
français
(1.13 MB - PDF)
Download

14 JANUARY 2019

EU Japan Adequacy Decision - Factsheet

English

(216.41 KB - PDF)

Related links

Data protection: European Commission launches process on personal data flows to UK

Press release - 19 February 2021

International data flows: Commission launches the adoption of its adequacy decision on Japan

Press release - 5 September 2018

Press statement by Commissioner Věra Jourová, Mr. Lee Hyo-seong, Chairman of the Korea Communications Commission and Mr. Jeong Hyun-cheol, Vice President of the Korea Internet & Security Agency

Press Statement - 20 November 2017

Joint Declaration by Mr. Shinzo Abe, Prime Minister of Japan, and Mr. Jean-Claude Juncker, President of the European Commission

Joint Declaration - 6 July 2017

Joint statement by Commissioner Věra Jourová and Haruhi Kumazawa, Commissioner of the Personal Information Protection Commission of Japan on the state of play of the dialogue on data protection

Joint Statement - 4 July 2017