What is Adequacy Decision?
An adequacy decision is a determination by the European Commission that a third country or international organization provides an adequate level of data protection, allowing free transfer of personal data from the EU without additional safeguards.
An adequacy decision is a formal determination by the European Commission under Article 45 of the GDPR that a third country, a territory, or one or more specified sectors within a third country, or an international organization ensures an adequate level of protection for personal data. When an adequacy decision is in place, personal data can flow freely from the EU and European Economic Area to that country without requiring additional safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
The European Commission assesses several factors when making an adequacy determination, including the rule of law and respect for human rights, the existence and effective functioning of an independent supervisory authority, and international commitments the country has entered into. Adequacy decisions are not permanent and are subject to periodic review. The Commission can amend, suspend, or repeal a decision if conditions change. As of early 2026, countries with full or partial adequacy decisions include Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (under the EU-US Data Privacy Framework), and Uruguay.
Organizations transferring data internationally should monitor the status of adequacy decisions for their relevant jurisdictions through ComplyIQ, which tracks regulatory changes and can alert when transfer mechanisms may need to be updated.
Relevant Regulations
How IQWorks Helps
Related Terms
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.
Standard Contractual Clauses (SCC)
Standard Contractual Clauses are pre-approved model contractual clauses adopted by the European Commission to facilitate lawful international transfers of personal data to countries outside the EEA.
Binding Corporate Rules (BCR)
Binding Corporate Rules are internal codes of conduct approved by data protection authorities that permit multinational organizations to transfer personal data within their corporate group across international borders.
Cross-Border Data Transfer
Cross-border data transfer refers to the movement of personal data from one country or jurisdiction to another, which is regulated by data protection laws that impose specific requirements to ensure adequate protection.
Privacy Shield
Privacy Shield was a framework governing transatlantic data transfers between the EU and the US, invalidated by the EU Court of Justice in 2020 and subsequently replaced by the EU-US Data Privacy Framework in 2023.