An adequacy decision is a formal act adopted by the European Commission under Article 45 of the GDPR, declaring that a specific third country, territory, sector, or international organisation provides a level of data protection that is essentially equivalent to that guaranteed within the European Economic Area. When an adequacy decision covers the recipient jurisdiction, personal data may flow there without any additional legal mechanism, in the same way as intra-EEA transfers.
As of early 2026, the Commission has issued adequacy decisions for a number of countries, including Japan, South Korea, the United Kingdom, and Switzerland. The EU-US Data Privacy Framework, adopted in July 2023, provides a sectoral adequacy finding for transfers to US organisations certified under that framework. Adequacy decisions are not permanent: they are subject to periodic review by the Commission, and the Court of Justice of the EU has the power to annul them, as it did with Safe Harbour in 2015 and Privacy Shield in 2020.
When assessing data transfer compliance for HR purposes, practitioners should verify the current adequacy status of any destination country rather than relying on status at the time a vendor contract was signed. The Commission publishes and maintains an updated list of countries covered by adequacy decisions, and any change in status triggers an immediate obligation to implement an alternative transfer mechanism.