EU GDPR—adequacy decisions—tracker
EU GDPR—adequacy decisions—tracker

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • EU GDPR—adequacy decisions—tracker
  • Background
  • Adequacy decisions
  • Key developments

This Practice Note is intended to be used to track the status of adequacy decisions relating to cross-border/international transfers of personal data under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR). It includes relevant opinions, reports and guidance issued by EU bodies relating to the status of new and existing decisions.

This Practice Note does not include the EU-US Privacy Shield framework (the Privacy Shield), which was invalidated by the Court of Justice on 16 July 2020, see Practice Note: Privacy Shield timeline.

For a comprehensive introduction to the EU GDPR, collating key practical guidance, see: Data protection toolkit.

Background

Although the text of the EU GDPR refers throughout to the ‘Union’, it is stated on page one of the regulation that it is a text ‘with EEA relevance’, meaning all provisions are intended to be applicable in respect of all EEA members, not just those that also have EU membership. Since the EU GDPR has been incorporated into the EEA Agreement and is in force, references to EU Member States in the EU GDPR can generally be read to also include EEA members. For further information on that incorporation, see the European Free Trade Association’s GDPR tracker.

Article 44 of the EU GDPR prohibits the transfer of personal data to a third country outside of the EEA, or an ‘international organisation’ (an international transfer).

Popular documents