Article 45 of GDPR: Transfers On The Basis of An Adequacy Decision
Article 45 of GDPR lays out the conditions based on which personal data may be transferred to a third country, a territory within a third country or to an international organization in such a way that it will ensure an adequate level of privacy rights.
Transfer to countries considered adequate (Article 45(1) GDPR)
When the Commission determines that a country, a territory within a country or an international organization provides an adequate level of protection to personal data, then data controllers and data processors are authorized to transfer personal data without any specific formalities or specific authorization.
Evaluation of a third country adequacy (Article 45(2) GDPR)
To evaluate a third country’s adequacy level, the Commission should consider the following factors about the third country:
- Rule of law (Article 45(2)(a) GDPR)
- Respect for human rights (Article 45(2)(a) GDPR)
- Data protection legislation (Article 45(2)(a) GDPR)
- Public security legislation (Article 45(2)(a) GDPR)
- Defence and national security requirements (Article 45(2)(a) GDPR)
- Legislation implementation (Article 45(2)(a) GDPR)
- Professional rules (Article 45(2)(a) GDPR)
- Case law (Article 45(2)(a) GDPR)
- Enforcement of legal rights (Article 45(2)(a) GDPR)
- Existence and functioning of an independent supervisory authority (Article 45(2)(b) GDPR)
- Supervisory authority’s enforcement and compliance with data protection laws (Article 45(2)(b) GDPR)
- Supervisory authority’s assistance to data subjects (Article 45(2)(b) GDPR)
- Supervisory authority’s level of cooperation with EU member states (Article 45(2)(b) GDPR)
- International commitments of the third country (Article 45(2)(c) GDPR)
- Participation in multilateral or regional instruments related to data protection (Article 45(2)(c) GDPR)
Commission’s implementing act on adequacy (Article 45(3) GDPR)
Following its assessment, the Commission may decide that a particular third country provides a sufficient level of protection to personal data.
The Commission will adopt an implementing act providing for the mechanisms to review the third country, at least every 4 years.
The Commission will also specify the territorial application of the adequacy decision along with its sectoral application along with the identity of the supervisory authority.
Monitoring of adequacy decisions (Article 45(4) GDPR)
GDPR requires that the Commission monitor the third countries subject to its adequacy decision to ensure that it’s adequacy decision remains relevant.
Repeal of an adequacy decision (Article 45(5) GDPR)
When the Commission obtains relevant information that the third country may no longer provide an adequate level of data protection mechanisms, it has the power to repeal, amend or suspend its adequacy decision.
Its decision will be adopted by way of an implementing act and such act cannot be retroactive.
Consultation with third country (Article 45(6) GDPR)
If the Commission repeals, amends or suspends a third country’s adequacy decision, the Commission should enter into a consultation with the third country with the objective to remedy the situation.
Commission’s decision without prejudice (Article 45(7) GDPR)
If the Commission finds that a third country no longer provides sufficient level of protection of personal data and thus repeals, amends or suspends its adequacy decision, such decision will be without prejudice to the personal data transfers to that third country.
Publication of countries considered adequate (Article 45(8) GDPR)
The Commission must publish a list of the third countries it considers adequate for the purpose of data transfer.
The publication should be done in the Official Journal of the European Union or on the Commission’s website.
Decisions pursuant to Directive 95/45/EC (Article 45(9) GDPR)
The Commission’s decisions adopted based on Directive 95/45/EC will remain in full force until the Commission decides to repeal, amend or replace such a decision based on the GDPR rules.
Recitals applicable to Article 45 of GDPR
Relevant Recitals: 103, 104, 105, 106, 107
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 45 or relevant recitals
Council of Europe Convention of 28 January 1981
GDPR Text: Article 45 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)