EU-28: Adopted Regulation (EU) 2016/679 (General Data Protection Regulation) including data transfer requirements

On 27 April 2016, the European Parliament and the Council adopted the General Data Protection Regulation (GDPR), creating comprehensive data protection regulations within the European Union. The regulation restricts personal data transfers from the EU to other countries, providing several mechanisms which allow for data transfers while upholding the GDPR’s data protection standards. The main mechanism is an “adequacy decision”, in which the European Commission declares the data protection regime of a third country as adequate, enabling transfers to that country without further authorisation. Other mechanisms are “appropriate safeguards” by data controllers or processors transferring data. Safeguards which do not require further authorisation include binding corporate rules, standard data protection clauses, approved codes of conduct and approved certification mechanisms. Safeguards which require authorisation include contractual clauses between the controller or processor in the EU and the third country.