Adequate countries are those countries which the European Commission has determined has data protection rules which are in line with the GDPR and whether a country outside the EU offers an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU to that ‘third country’ without any further safeguards being necessary. Or to put it more simply, transfers to the country will be treated like a transfer within the EU.
Data protection by design and by default should still be applied, but the regulation requires no specific safeguards to protect the international transfer.
The European Commission has so far recognised a number of countries as providing adequate protection. However this list can change regularly and so organisations are advised to check here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Currently, transferring personal data to the United States of America is considered to have adequate protection by the EU, but only if the specific organisation is covered by the Data Protection Framework for the specific service that the data is being transferred to. Therefore additional due diligence should be undertaken when transferring personal data to the USA. The same can also be said for the UK where the Data Protection Framework is now an accepted safeguard.
How can ProvePrivacy Help?
ProvePrivacy allows RoPA users to add all contracts as part of the Data Sharing Assessment, all of the above clauses are noted within this assessment and if any are identified as absent then a risk will be added to the risk log.
