Countries having Data Protection Adequacy

Countries having Data Protection Adequacy

Transfers of personal data to third countries are regulated under Articles 44-50 of the General Data Protection Regulation (Reg. EU 2016/679).

No additional safeguards, restrictions or formalities apply in relation to transfer of personal data to:

EU Member States;

Member countries of the EEA;

Third countries, specific sectors (such as the EU-US Privacy Shield), or international organisations which are, from time to time, recognised by the EU Commission to have an adequate level of protection; Click here​ to view the official list​.

Where the transfer is to a destination which does not ensure an adequate level of data protection, controllers or processors transferring personal data, may still carry out such transfers provided that appropriate safeguards as specified under Article 46 of the GDPR are introduced. These safeguards may be provided by means of:

(a)  a legally binding and enforceable instrument between public authorities or bodies;

(b)  binding corporate rules;

(c)  standard data protection clauses adopted by the Commission;

(d)  standard data protection clauses adopted by a supervisory authority and approved by the Commission;

(e)  an approved code of conduct;

(f)  an approved certification mechanism.

No authorisation would be required from the Commissioner for transfers undertaken by means of the abovementioned safeguards.​ 

Transfers to Third Countries