What is an adequacy decision? Does my country qualify under GDPR for it?

An adequacy decision is an approval given by the European Commission to a third country, territory or a sector or an international organization that offers an adequate level of data protection as can be offered within the territory of the European Union. It is the cornerstone to how the GDPR looks at international transfers of data. 

Key aspects of adequacy decisions include:

• Legal effect: Once an adequacy decision has been made, transfers may take place from the EU to the recipient country without further protection or approval.
• Comprehensive assessment: This means that the protection afforded to the overall data protection of the third country is assessed through the third country’s laws, regulations and memberships to international commitments.
• Periodic review: Both adequacy decisions are made under periodic review, at least every four years, to validate that the third country continues to possess adequate protection.
• Limited coverage: An adequacy decision might relate to a whole country or a set of areas of activity within a country.

As of the latest information available, the European Commission has recognized the following as providing adequate protection:

• Andorra
• Argentina
• Canada (commercial organizations)
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• United Kingdom (under both GDPR and LED)
• Uruguay

If your country is not on this list, then your country does not meet the GDPR adequacy requirements. In such cases, for example, if personal data was to be transferred from the EU to your country, then you would have to rely on the other transfer tools offered under the GDPR SCCs; BCRs; or special derogations.