Adequacy Decision in a nutshell

ADEQUACY DECISION IN A NUTSHELL

Definition

The decision of the Commission that permits the transfer of personal data to a third country or international organization which ensures an adequate level of protection.

Introduction

The art. 45 of GDPR regulates the transfer of data to third countries and international organizations on the basis of an adequacy decision of the Commission. The content of the article reflects and sums up the experience of the Commission with the previous adequacy decisions, like for instance the Privacy Shield.

Once the Commission issues the adequacy decision, the data can be transferred without any further authorization and the transfer will be assimilated to an intra-EU transmissions of data.

As clarified by the CJEU in the Schrems decision, the level of protection is considered adequate when is “essentially equivalent to that guaranteed within the European Union” (case C‑362/14).

Elements to take into account: relevant rules and effective application

The Commission’s assessment on the adequacy of the level of protection has to take into account multiple elements, such as rule of law, respect of human rights and fundamental freedoms, data protection rules and access of public authorities to personal data.

The analysis of the Commission, however, is not limited to a formal assessment of the relevant legislative elements, and the level of protection has to be also ensured by “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects” and by “the existence and effective functioning of one or more independent supervisory authorities” (letter (a) art. 45(2)). In other words, the examination of the Commission concerns the applicable rules and their effective application.

Periodic review, repeal, amendment and suspension of the decision

The adequacy decision has to provide a mechanism of periodic review, at least every 4 years, aimed to evaluate the relevant developments in the third country or organization. Besides that, the Commission has to control on an ongoing basis the said developments. If the third country or the organization no longer ensures the adequate level of protection, the Commission can “repeal, amend or suspend the adequacy decision” (art. 45(5)).

Data transfer without an adequacy decision

If the adequacy decision isn’t granted, the data flow might follow other paths. The distinctive feature of the adequacy decision is that the transfer is made easier and unless the decision is repealed, reviewed or suspended, the transfer doesn’t require any further authorization.

The alternatives mechanisms to the adequacy decision are the “appropriate safeguards” and, as a last and residual option, the “derogations for specific situations”.

The appropriate safeguards that may allow the controller or the processor to transfer data to a third country or an international organization are the “ use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority ” (recital 108).

As we see, the adequacy decision is an umbrella that legitimates all the data transfers to a third country or international organization. With the appropriate safeguards mechanism, at the contrary, the transfer is authorized solely for the controller or the processor that ensures the respect of the appropriate safeguards . The scope of this mechanism is much narrower than the scope of the adequacy decision.

The derogations for specific situations mentioned in the art. 49 - designed as a residual alternative to the adequacy decision and the appropriate safeguards - are limited to a single transfer or a set of transfer of personal data. Such derogations include for example cases in which the data subject provided explicit consent to the transfer after being informed of the possible risks; cases in which the transfer is necessary for the performance of a contract or also cases in which the transfer is necessary for important reasons of public interest.

Michelangelo Casini

Table: