Glossary · EU Data Transfer Law EU Adequacy Decisions (European Commission Adequacy Decisions)
Formal European Commission determinations that a non-EU country provides an essentially equivalent level of personal data protection, allowing free transfer of personal data without additional safeguards.
## What an Adequacy Decision actually is
An EU Adequacy Decision is a formal determination by the European Commission, under [GDPR](/en/glossary/gdpr/) Article 45, that a non-EU country (or specific sector within one) provides a level of personal data protection **essentially equivalent** to that guaranteed within the EU.
When a country has an adequacy decision, EU personal data can flow there freely — no additional contractual safeguards (SCCs, BCRs) or Transfer Impact Assessments are required for the transfer itself. This is the *strongest* legal basis for international data transfers under GDPR.
## Countries with adequacy decisions (as of 2026)
The European Commission has recognized adequacy for:
- **Andorra**
- **Argentina**
- **Canada** (commercial organizations covered by PIPEDA)
- **Faroe Islands**
- **Guernsey**
- **Isle of Man**
- **Israel**
- **Japan** (with mutual EU-Japan adequacy)
- **Jersey**
- **New Zealand**
- **Republic of Korea (South Korea)**
- **Switzerland**
- **United Kingdom** (post-Brexit, two decisions: GDPR and Law Enforcement)
- **Uruguay**
- **United States** — only under the [EU-US Data Privacy Framework](/en/glossary/eu-us-data-privacy-framework/) for certified organizations
Note that several of these are subject to periodic review.
## How adequacy decisions are made
The European Commission considers:
### 1. Rule of law and fundamental rights
General human rights and rule-of-law framework in the third country.
### 2. Data protection law
Whether the country has comprehensive data protection legislation comparable to GDPR.
### 3. Independent supervisory authority
Whether an independent data protection authority exists with real enforcement power.
### 4. International commitments
Membership in privacy-relevant international agreements (Convention 108, etc.).
### 5. Government access to data
Whether national security and law enforcement access to personal data is proportionate, governed by clear law, and provides effective remedies.
The fifth factor is where the **Schrems** cases keep intervening for the US.
## How adequacy decisions are reviewed
Article 45(3) GDPR requires the Commission to **review adequacy decisions periodically** (at least every four years). The Commission can suspend, repeal, or amend adequacy if circumstances change.
Decisions can also be invalidated by the **Court of Justice of the EU**:
- [Schrems I](/en/glossary/schrems-i/) (2015) invalidated the Safe Harbor decision
- [Schrems II](/en/glossary/schrems-ii/) (2020) invalidated Privacy Shield
## What adequacy decisions mean in practice
### For data exporters
If you're transferring EU personal data to a country with an adequacy decision:
- **No additional safeguards required** for the legal basis of the transfer
- Standard GDPR principles still apply (purpose limitation, minimization, etc.)
- No Transfer Impact Assessment required for the transfer itself
- Documentation should still note the adequacy basis
### For data importers in adequate countries
If you're a Japanese or UK organization receiving EU data:
- You benefit from streamlined transfers from EU customers
- Your country's adequacy is competitive advantage vs non-adequate jurisdictions
- Maintaining adequacy depends on national-level policy choices
### For tech buyers
When evaluating vendors:
- **EU-resident vendors**: no transfer issue
- **Adequate-country vendors** (UK, Switzerland, etc.): straightforward transfer basis
- **US vendors under EU-US DPF**: technically adequate but legally vulnerable
- **Non-adequate jurisdictions**: requires SCCs + TIA, often impractical for sensitive data
## The UK adequacy specifically
After Brexit, the UK received an adequacy decision in 2021. This decision is subject to periodic review and was renewed. UK divergence from GDPR — particularly proposals around the UK's own data protection reform — could put adequacy at risk.
For European businesses using UK-based providers, current adequacy makes transfers straightforward, but the decision is conditional on continued UK alignment.
## Adequacy vs other transfer mechanisms
When adequacy doesn't exist or is insufficient, GDPR provides:
- **Standard Contractual Clauses (SCCs)** — Commission-approved contract terms ([see SCCs](/en/glossary/sccs/))
- **Binding Corporate Rules (BCRs)** — internal rules within multinational groups ([see BCRs](/en/glossary/bcrs/))
- **Derogations** — limited exceptions for specific situations
- **Transfer Impact Assessment** — required where SCCs/BCRs are used to verify whether they actually deliver protection ([see TIA](/en/glossary/tia/))
Adequacy is preferred because it eliminates the per-transfer assessment burden.
## What 2026-2027 brings
- **Periodic reviews** of existing adequacy decisions, including UK
- **Possible new adequacy decisions** for additional countries (ongoing assessments)
- **Continued vulnerability** of EU-US DPF to Schrems-line challenges
- **AI Act intersection** — adequacy doesn't automatically address AI-specific data flows
## Practical implications
For European tech buyers, adequacy decisions structurally favor:
1. **EU-resident providers** (best — no transfer at all)
2. **Adequate-country providers** (UK, Switzerland, etc. — clean legal basis)
3. **EU-US DPF certified providers** (legal but vulnerable)
4. **Other US/non-adequate providers** (requires SCCs + TIA — often impractical)
The hierarchy matters when comparing vendors. A vendor's jurisdiction shapes the compliance overhead you carry forever after.
Was this helpful?
Thanks for your feedback!