UK adequacy decision

Author: TIC Salut Social   /  30 of June of 2021

The European Commission has the right to determine, on the basis of Article 45 of the General Data Protection Regulation (GDPR), whether a country outside the EU offers an adequate level of data protection or not. The EC has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Man Island, Japan, Jersey, New Zealand, Switzerland and Uruguay as appropriate data protection countries.

On 28 June 2021, the European Commission has taken two decisions on the adequacy of personal data transfers in the United Kingdom, according to the GDPR and the Policies on data protection in the criminal field (LED).

Personal data can now move freely from the European Union to the United Kingdom, where they benefit from a level of protection essentially equivalent to that guaranteed by EU legal basis. The adequacy decisions also facilitate the proper implementation of the EU-UK Cooperation and Trade Agreement, which provides the exchange of personal information. Judicial cooperation would be an example.

Key concepts of adequacy decisions

  • The UK data protection system continues to be based on the same rules that were applicable when the UK was an EU Member State. The United Kingdom has fully joined the principles, rights and obligations of the GDPR and the Policies on data protection of criminal issues into its post-Brexit legal system.


  • According to accessing to personal data by the UK’s public authorities, particularly for national security reasons, the British system provides efficient guarantees. In particular, the collection of data by the intelligence authorities is subjected to prior authorisation by an independent judicial body. Any measure must be necessary and proportionate to what it is intended to achieve. The United Kingdom is also subject to the jurisdiction of the European Court of Human Rights and must respect the European Convention for Human Rights, as well as the Council of Europe Convention on the Protection of People with regard to the automatic processing of personal data, which is the only internationally binding treaty on data protection. These international commitments are an essential element of the legal framework assessed both in the two adequacy decisions.


  • For the first time, the adequacy decisions include the so-called “expellation clause”, which strictly limits its duration. This means that decisions will automatically expire four years after their entry into force. After this period, the results of the adaptation could be renewed. However, only if the UK continues to guarantee an adequate level of data protection.


  • Transfers to immigration control effects from the United Kingdom are excluded from the scope of the adequacy decision taken under the GDPR to reflect a recent ruling by the Court of Appeal of England and Wales on the validity and interpretation of certain restrictions on data protection rights in this area. The EC will re-evaluate the need for this exclusion once the situation has been amended in accordance with UK law.


Per a més informació:

Adequacy decisions 

Decision on the proper protection of personal data by the United Kingdom – General Data Protection Regulation

For further questions or clarification you can address the Healthcare  DPO:

Tel.: 93 553 26 42 (from 9:00 to 14:00)