What is an adequacy decision under GDPR?

An adequacy decision (GDPR Art. 45) is a formal European Commission ruling that a third country or international organisation provides an "essentially equivalent" level of protection to the EU. Effect: data may flow without additional contracts or safeguards to that country — as if it were an EU member state. Current adequacy countries (2026): Andorra, Argentina, Canada (commercial sector only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, and the US (via EU-US Data Privacy Framework since 10 July 2023). How is it assessed? EC looks at: respect for rule of law + fundamental rights, independent supervisor, judicial review, international obligations. Assessment can take years. Periodic review: every 4 years the EC must re-examine whether the decision still stands. That's how Privacy Shield was invalidated via Schrems II (see our Schrems II article). Difference vs SCCs: adequacy decision = automatically allowed, SCCs = additional contract needed (see SCCs). Adequacy is the simpler path. Business relevance: choosing a supplier in an adequacy country (e.g. Switzerland or UK) is simpler than additional TIAs + measures for other third countries.