Loading…
Loading…
A formal decision by the European Commission determining that a third country, territory, or sector outside the EU provides a level of personal data protection essentially equivalent to the EU standard. Countries with adequacy decisions — such as the UK, Japan, and (with conditions) the US under the EU-US Data Privacy Framework — can receive EU personal data without additional legal safeguards. Without an adequacy decision, EU-to-third-country data transfers require alternative mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
Why this matters for your team
If your AI vendor processes EU personal data outside the EU, check whether an adequacy decision covers that transfer. If not, you need Standard Contractual Clauses — make sure they're in your DPA. Unprotected data transfers are a significant GDPR enforcement risk.
A European startup uses a US-based AI API that processes EU customer data on US servers. Because the US has a partial adequacy arrangement (EU-US Data Privacy Framework), the startup checks that the vendor is DPF-certified before proceeding without SCCs.