In July 2023, the European Commission adopted its Implementing Decision on the adequate level of protection of personal data under the EU-US Data Privacy Framework (Adequacy Decision).

Particularly, the Commission decided that the United States (US), for the purpose of Article 45 of the General Data Protection Regulation (EU) 2016/679 (GDPR), ensures an adequate level of protection for personal data transferred from Europe to organisations in the US that are included in the ‘Data Privacy Framework List’, maintained and made publicly available by the U.S. Department of Commerce. Therefore, transfers from Europe to organisations in the US that are included in the Data Privacy Framework List may be based on the Adequacy Decision, without the need to rely on Article 46 GDPR transfer tools.

This also means that these transfers do not have to be complemented by supplementary measures.

The EU-U.S. Data Privacy Framework sets the principles ruling the processing of personal data transferred from Europe to US, including individual rights, in particular the right of access, the right to object to the processing and the right to have data rectified and erased.

In march 2023, the European Data Protection Board also published the Guidelines 01/2022 on data subject rights - Right of access.

Transfers to entities in the US which are not included in the Data Privacy Framework List will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g., through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.

Read the Adequacy Decision here!