‘Adequacy’ is a term used to describe countries, territories, sectors or organisations that are deemed to have an “essentially equivalent” level of data protection to that of the jurisdiction(s) granting said adequacy. For example, countries having ‘EU Adequacy’ would be deemed by the EU Commission to have an essentially equivalent level of data protection to that required under the EU GDPR.
At the end of the transition period, Gibraltar became a “third country” for the purposes of the EU GDPR. Third countries are non-EU Member States that have not been granted EU Adequacy, and for which there are specific provisions within the EU GDPR, in particular regarding transfers of personal data to the same.
The EU Commission has the power to determine whether a non-EU Member State has an equivalent level of data protection to that imposed by the EU GDPR. The effect of a favourable adequacy decision is that personal data can flow from jurisdictions governed by the EU GDPR to the relevant third country, without the requirement for any additional safeguards.
Gibraltar is currently seeking, but has not yet obtained, favourable adequacy decisions from the EU Commission under both the EU GDPR and the Law Enforcement Directive. The Information Commissioner’s guidance will be updated should there be any developments in this area.
For more information, please refer to the Information Commissioner’s guidance on ‘(11) International Transfers’ as well as ‘(10) Getting ready for Brexit’.