Meaning of an 'adequate level of protection'
Under Article 45(1), the Commission can decide a third country, a territory, a sector, or an international organisation ensures an adequate level of protection - and then no specific authorisation is needed for transfers there. Adequacy is assessed against three elements: the rule of law and enforceable rights/redress, independent supervisory authorities, and the country's international commitments.
Article 45(1) lets the Commission find adequacy for a whole third country, a territory, one or more specified sectors, or an international organisation. Once adequacy is decided, the transfer shall not require any specific authorisation.
| Element | What it covers |
|---|---|
| Rule of law & rights | Respect for human rights and fundamental freedoms; relevant general and sectoral law (including public security, defence, national security, criminal law and public-authority access to data); rules on onward transfers; effective and enforceable data subject rights and administrative/judicial redress |
| Independent supervision | One or more independent supervisory authorities with adequate enforcement powers, duties to assist data subjects, and cooperation with EU authorities |
| International commitments | Binding conventions/instruments and participation in multilateral or regional systems relevant to protecting personal data |
Adequacy is not all-or-nothing for a whole country: it can be limited to a territory or one or more specified sectors within a third country.