An adequacy decision under GDPR Article 45 is the European Commission's formal finding that a non-EEA country, territory, or sector provides a level of data protection essentially equivalent to GDPR. When an adequacy decision is in force, transfers to that destination can take place without the need for SCCs, BCRs, or any other Article 46 transfer tool. A TIA is technically not required, though many controllers still document a brief note for the file.
Current adequacy decisions
As of 2026, the Commission has issued adequacy decisions for:
- Andorra
- Argentina
- Canada (commercial organisations)
- Faroe Islands
- Guernsey
- Isle of Man
- Israel
- Japan (private-sector organisations)
- Jersey
- New Zealand
- Republic of Korea
- Switzerland
- United Kingdom (and a separate decision under the Law Enforcement Directive)
- United States (under the Data Privacy Framework, for participating organisations only)
- Uruguay
The list moves. Each decision is reviewed periodically; some have been challenged in the courts (Privacy Shield was annulled in Schrems II; the current US DPF decision is under similar litigation pressure).
Adequacy isn't permanent
An adequacy decision can be repealed, amended, or struck down by the courts. When that happens, every transfer to that destination has to be reassessed under the alternative mechanisms — SCCs plus a TIA. The 2020 Schrems II judgment forced thousands of organisations to do this for US transfers within months.
Any vendor with operations in an adequate jurisdiction is currently in a comfortable position. That position can change quickly if the adequacy decision is challenged, which is why TIA documentation is worth keeping warm even when not strictly required.