The meaning of „adequate” under GDPR – lesson learnt from EU bodies
DOI:
https://doi.org/10.15290/eejtr.2025.09.01.05Keywords:
data transfer, personal data, adequacy, GDPR, EU law, personal data protectionAbstract
The concept of “adequate” data protection model in third country or organisation plays vital role in General Data Protection Regulation, but more importantly – in business and relations between European Union and other international actors. Understanding what “adequate” means is crucial for ensuring the security of personal data transferred outside EU. However, the European Union has not provided clear guidance on this matter, which may have negative consequences for businesses, individuals, and the EU as a whole. This paper examines the meaning of 'adequate' by analyzing the work of EU institutions through a deep-dive investigation, as well as comparative and conceptual legal research. The outcome of the research allow researchers and professionals to deeply understand adequacy requirements under General Data Protection Regulation and is viable source for further research in the area but also – in the practice of ensuring GDPR compliance by both private and public organisations.
Downloads
References
Advocate General Bot. (2015, September 23). Opinion in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner. Court of Justice of the European Union.
Article 29 Working Party. (2017, November 28). Adequacy referential. https://ec.europa.eu/newsroom/article29/items/612080
Calia, D. (2022). Schrems II: The EU's influence on U.S. data protection and privacy laws. Washington University Global Studies Law Review, 21(2), 247–272.
Charter of Fundamental Rights of the European Union, O.J. C 326 (2012, October 26).
Council of Europe. (1981). Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) (as amended by Convention 108+).
Court of Justice of the European Union. (2004, October 5). Commission v. Greece, C-475/01. E.C.R. I-0000.
Court of Justice of the European Union. (2006, May 30). Joined Cases C-317/04 and C-318/04. E.C.R. I-0000.
Court of Justice of the European Union. (2015, October 6). Schrems v. Data Protection Commissioner, C-362/14. E.C.R. I-0000.
Dahl, K. (2019). Data adequacy and China - The possibility of an adequacy decision adopted on China in accordance with the GDPR Article 45. University of Bergen. https://bora.uib.no/bora-xmlui/handle/1956/21714.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Drechsler, L. (2021a). EDPB issues guidance on personal data transfers based on adequacy decisions in the context of the Law Enforcement Directive. European Data Protection Law Review, 7(2), 221–227.
Drechsler, L. (2021b). Wanted: LED adequacy decisions. How the absence of any LED adequacy decision is hurting the protection of fundamental rights in a law enforcement context. International Data Privacy Law, 11(3), 182-195.
Duque de Carvalho, S. L. (2019). Key GDPR elements in adequacy findings of countries that have ratified Convention 108. European Data Protection Law Review, 5(1).
European Commission. (2002/2/EC). Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, O.J. L 6.
European Commission. (2003/490/EC). Commission Decision of 30 June 2003 pursuant to Directive 95/46/EC on the adequate protection of personal data in Argentina, O.J. L 168.
European Commission. (2003/821/EC). Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey, O.J. L 308.
European Commission. (2004/411/EC). Commission Decision of 28 April 2004 on the adequate protection of personal data in the Isle of Man, O.J. L 181.
European Commission. (2008/393/EC). Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC on the adequate protection of personal data in Jersey, O.J. L 159.
European Commission. (2010/146/EU). Commission Decision of 5 March 2010 pursuant to Directive 95/46/EC on the adequate protection provided by the Faeroese Act on processing of personal data, O.J. L 71.
European Commission. (2010/625/EU). Commission Decision of 19 October 2010 pursuant to Directive 95/46/EC on the adequate protection of personal data in Andorra, O.J. L 281.
European Commission. (2011/61/EU). Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC on the adequate protection of personal data by the State of Israel about automated processing of personal data, O.J. L 27.
European Commission. (2013/65/EU). Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC on the adequate protection of personal data by New Zealand, O.J. L 28.
European Commission. (2017). Communication from the Commission to the European Parliament and the Council: Exchanging and protecting personal data in a globalised world (COM(2017) 7 final).
European Commission. (2019/419). Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, O.J. L 76/1.
European Data Protection Board. (2018). Endorsement 1/2018. https://edpb.europa.eu/sites/default/files/files/news/endorsement_of_wp29_documents.pdf
European Data Protection Board. (2021). Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive. https://edpb.europa.eu
European Data Protection Board. (2023, July 10). Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision. https://edpb.europa.eu/our-work-tools/our-documents/other-guidance/information-note-data-transfers-under-gdpr-united-0_en
General Court of the European Union. (2023). Philippe Latombe v. European Commission, T-553/23 R (pending).
Gonzalez Domenech, J. (2019). Las decisiones de adecuación en el derecho Europeo relativas a las transferencias internacionales de datos y los mecanismos de control aplicados por los estados miembros. Cuadernos de Derecho Transnacional, 11(1), 350–371.
Hamilton, D., & Quinlan, J. (2020). The transatlantic economy 2020: Annual survey of jobs, trade and investment between the United States and Europe.
Hughes, A. (2001). A question of adequacy - The European Union’s approach to assessing the Privacy Amendment (Private Sector) Act 2000 (CTH). University of New South Wales Law Journal, 25(1), 270-276.
Ihle, J. (2010, July 8). Ireland blocks EU data sharing with Israel. Jewish Telegraphic Agency. https://www.jta.org/2010/07/08/global/ireland-blocks-eu-data-sharing-with-israel.
Mednis, A. (2023). Kryteria uznawania odpowiedniego stopnia ochrony danych osobowych w państwie trzecim. In M. Sakowska-Baryła (Ed.), Transfer danych osobowych na podstawie RODO (pp. 115–133). Warszawa: Wydawca.
Murphy, H. M. (2021). Assessing the implications of Schrems II for EU–US data flow. International & Comparative Law Quarterly. Advance online publication. https://doi.org/10.1017/S0020589321000348.
Naef, T. (2021). Data protection without data protectionism: The right to protection of personal data and data transfers in EU law and international trade law. Springer.
noyb. (2023). New trans-Atlantic data privacy framework largely a copy of "Privacy Shield". noyb will challenge the decision. https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.
Panek, W. (2024). People’s Republic of China and the adequacy – Why Chinese data protection law is not adequate within the meaning of the GDPR. Masaryk University Journal of Law and Technology, 2, 143-167.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), O.J. L 119/1.
Schwartz, P. M. (2019). Global data privacy: The EU way. New York University Law Review, 94(3), 771–817.
Swisher, K. (2015, February 13). Kara Swisher interviews President Barack Obama on cyber security, privacy and his relationship with Silicon Valley. Re/code.
Velli, F. (2019). The issue of data protection in EU trade commitments: Cross-border data transfers in GATS and bilateral free trade agreements. European Papers, 4(3), 881–894.
Wolf, J. (2014). Delusions of adequacy - Examining the case for finding the United States adequate for cross-border EU-U.S. data transfers. Washington University Journal of Law & Policy, 43, 227-257.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Dominika Kuźnicka-Błaszkowska
This work is licensed under a Creative Commons Attribution 4.0 International License.
1. The Author declares that he or she has created the written work and holds exclusive and unlimited copyright /both moral and property rights/ and guarantees that no third parties have rights to the work.
2. In the view of the Copyright and Related Rights Act, a work must fulfill the following criterion:
a) be a manifestation of creative work,
b) have an individual character („author’s personal stamp”),
c) have a set form.
3. The Author declares that the text has not been previously published (under the same or different title, or as a part of another publication).
4. The Author allows (grants a non-exclusive license) the publishing house of University of Białystok to use the scholarly text to:
- preserve and multiply by means of any technique; save in a digital form with no limitations as to the manner and form of digital preservation;
- upload online with no limitations as to the place and time of access.
5. The Author grants consent for editorial changes made in the work.
6. The Author grants the University of Białystok rights free of charge for the duration of property copyright with no territory limits. The University has the right to grant sublicenses in the acquired rights.
7. Granting a non-exclusive license allows the Author to preserve their rights and allows other parties to make use of the work according to sublicensing agreement with provisions identical as those of Attribution 4.0 Internacional License (CC BY 4.0), available online at: https://creativecommons.org/licenses/by/4.0/.
8. The Agreement has been concluded for an indefinite period of time.
9. Because of costs born in preparation of the work for publishing, the Parties oblige themselves to act in good faith and refrain from declining to grant licenses.
10. To all matters not settled herein, provisions of the Civil Code and Copyright and Related Rights Act of 1994, February 4 shall apply.
11. All disputes shall be resolved by a court of local jurisdiction for the place of seat of University of Białystok.
