AIGP Exam Concept

International Data Transfers

What are adequacy decisions and when do they apply to international data transfers?

Transferring personal data outside the EEA requires a lawful transfer mechanism. Adequacy decisions are one of those mechanisms, and understanding their scope and limits is tested on the AIGP exam.

Why this matters for the AIGP exam

International transfers are a high-frequency AIGP exam topic because they require combining knowledge of the transfer mechanism hierarchy, the specific conditions for each mechanism, and the circumstances where supplementary measures or alternative mechanisms are needed. Questions in this area often test whether a proposed transfer is lawful under the described conditions, or which mechanism is most appropriate.

The transfer restriction and the lawful mechanisms

GDPR Chapter V restricts the transfer of personal data to third countries (countries outside the EEA) unless the transfer uses one of the lawful mechanisms provided. The hierarchy of mechanisms is:

  1. Adequacy decision: The European Commission has determined that the destination country provides an essentially equivalent level of protection to the EEA. No further safeguards are required for the transfer itself.
  2. Appropriate safeguards (Article 46): If no adequacy decision exists, the transfer may proceed using safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or approved codes of conduct.
  3. Derogations (Article 49): In the absence of adequacy or appropriate safeguards, transfers may occur in limited circumstances such as explicit consent, necessity for a contract, or vital interests. These are intended as exceptions, not routine transfer mechanisms.

How adequacy decisions work

An adequacy decision is a formal determination by the European Commission that a third country, territory, sector, or international organization provides a level of data protection essentially equivalent to that in the EEA. Once an adequacy decision is in place, personal data can flow freely to the covered destination without requiring any additional transfer safeguard.

Adequacy decisions must be reviewed periodically. They can be amended, suspended, or repealed if the Commission determines that the destination no longer provides an adequate level of protection. The Schrems II ruling by the Court of Justice of the EU invalidated the EU-US Privacy Shield adequacy decision in 2020. The EU-US Data Privacy Framework adequacy decision, adopted in 2023, replaced it, but only covers organizations certified under that framework.

Scenario example

A French company wants to transfer customer data to a cloud provider headquartered in the United States. The EU-US Data Privacy Framework adequacy decision is currently in effect.

The French company cannot simply rely on the adequacy decision for any US recipient. The DPF adequacy decision applies only to US organizations that have self-certified under the Data Privacy Framework program. The French company must verify that the specific cloud provider is listed as a certified participant in the DPF program before relying on adequacy as the transfer mechanism.

If the cloud provider is not DPF-certified, the French company must use an alternative transfer mechanism, most commonly Standard Contractual Clauses, along with a Transfer Impact Assessment to evaluate whether the SCCs provide effective protection in the specific circumstances.

Common confusion and exam trap

The most common trap is treating adequacy decisions as applying to an entire country uniformly. The US adequacy decision under the DPF applies only to certified organizations. A transfer to a US company that is not DPF-certified is not covered by the adequacy decision, regardless of the fact that an adequacy decision for the US exists.

A second trap is assuming that adequacy decisions eliminate all due diligence. Even with an adequacy decision in place, organizations must comply with other GDPR requirements: they must have a valid legal basis for the underlying processing, they must include the transfer in their records of processing activities, and they must inform data subjects about the transfer in their privacy notice.

A third trap involves the temporary nature of adequacy decisions. Adequacy decisions can be invalidated by court rulings or Commission reassessment. Organizations that rely on an adequacy decision should monitor its current status and have contingency plans in place.

Standard Contractual Clauses as the primary alternative

Where no adequacy decision applies, Standard Contractual Clauses are the most commonly used transfer mechanism. The European Commission published updated SCCs in 2021 covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Organizations must select the appropriate module based on the roles of the parties in the transfer.

Following Schrems II, organizations using SCCs must also conduct a Transfer Impact Assessment to evaluate whether the destination country's laws and practices allow effective protection of the transferred data in practice, not just on paper.

Practice this concept in context

AIGP Decision Lab includes scenario questions on this topic with full rationale breakdowns. One time purchase. $39.99.

Join early access

Independent AIGP prep tool. Not affiliated with IAPP.