Art.45.Adequacy GDPR

GDPR Art.45.Adequacy: Adequacy Decision Monitoring and Compliance

What This Control Requires

The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

In Plain Language

Relying on an adequacy decision is not a set-and-forget exercise. The European Commission reviews these decisions at least every four years, and the Schrems saga proved that courts can invalidate them with immediate effect. If your transfers depend on adequacy, you need to actively monitor whether that adequacy still holds and have a plan B ready.

Good monitoring goes beyond checking whether a decision is still technically valid. Track what is happening in the third country's data protection landscape - legislative reforms affecting surveillance powers, changes to supervisory authority independence, court rulings that shift how data protection law is interpreted, and political developments that could trigger a Commission review.

The EU-US corridor has been especially turbulent. Safe Harbor fell in 2015 (Schrems I), Privacy Shield fell in 2020 (Schrems II), and the current Data Privacy Framework was adopted in 2023. If you transfer data to the US, monitoring is not optional - it is essential survival planning. You need to be ready to switch mechanisms if history repeats itself.

How to Implement

Build a register of every adequacy decision your organisation relies on. For each one, record the scope (full country, specific sector, specific conditions), which of your transfers it covers, its adoption date and last review, any limitations, and its current status (active, under review, challenged, or revoked).

Set up a monitoring process. Subscribe to European Commission updates, EDPB opinions, and relevant court proceedings. Follow analysis from data protection law firms, privacy bodies like IAPP and NOYB, and supervisory authorities. Assign clear ownership - typically your DPO or legal team - and report on adequacy decision status at least quarterly.

Develop contingency plans for each transfer that depends on adequacy. Identify the alternative mechanism you would use (usually SCCs) and pre-negotiate those SCCs with your data importers now, while there is no urgency. Prepare draft Transfer Impact Assessments that can be finalised and activated quickly if you need to switch.

For US transfers under the Data Privacy Framework, add specific checks. Verify each importer's DPF certification is current by checking the Department of Commerce list regularly. Monitor the Commission's annual review process and any legal challenges to the framework. Make sure your US importers actually understand and comply with their DPF obligations - certification alone means nothing if the principles are not followed.

Test your contingency plans. Run tabletop exercises that simulate an adequacy decision being revoked overnight, then see whether your organisation can actually transition to alternative mechanisms within a reasonable timeframe. Identify bottlenecks and fix them before they matter. Document these exercises for accountability.

Evidence Your Auditor Will Request

Register of relied-upon adequacy decisions with scope, status, and covered transfers
Evidence of active monitoring of adequacy decision developments
Contingency plans with alternative transfer mechanisms for each adequacy-reliant transfer
DPF certification verification records for US data importers
Tabletop exercise records testing contingency plan activation

Common Mistakes

No active monitoring of adequacy decision status, leading to reliance on revoked or outdated decisions
No contingency plan for adequacy decision revocation, causing business disruption if a decision is invalidated
Relying on EU-US Data Privacy Framework without verifying individual importer certification status
Adequacy decision scope not verified - transferring data to sectors or entities not covered by the decision
No testing of contingency plans, leaving transition readiness theoretical rather than proven

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related

Frequently Asked Questions

How do we monitor adequacy decision developments?

Subscribe to the European Commission's justice and data protection pages, the EDPB newsletter, and relevant supervisory authority updates. Follow organisations like IAPP, NOYB, and EFF for analysis and early warnings. Assign monitoring to a specific person or team and review at least quarterly. Most of the signals that an adequacy decision is under pressure emerge well before any formal action.

What happened with the previous EU-US data transfer frameworks?

Safe Harbor was struck down by the CJEU in Schrems I (2015) because it could not adequately protect against US government surveillance. Privacy Shield met the same fate in Schrems II (2020) for similar reasons. The current EU-US Data Privacy Framework, adopted in July 2023, includes new safeguards built on Executive Order 14086. Legal challenges are possible, so treat it as durable but not permanent.

How quickly do we need to react if an adequacy decision is revoked?

Immediately. When Privacy Shield was invalidated in Schrems II, there was no transition period - the legal basis vanished overnight. Organisations that had pre-negotiated SCCs and draft TIAs ready were able to switch within days. Those that did not faced weeks or months of non-compliant transfers. The lesson is clear: contingency planning is not a nice-to-have, it is a necessity.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment