Countries having Data Protection Adequacy

Transfers of personal data to third countries are regulated under Articles 27 and 28 of the Data Protection Act and also by virtue of Subsidiary Legislation 440.03​ 'Third County (Data Protection Act) Regulations, 2003’.

A transfer of personal data to another country constitutes processing and as such the processing operation must be notified to the Commissioner accordingly. No restrictions or other formalities apply in relation to transfer of personal data to:

  1. EU Member States;

  2. Member countries of the EEA;

  3. Third countries which are, from time to time, recognised by the EU Commission to have an adequate level of protection; Click here to view the official list​

The transfer of personal data to a third country that does not ensure an adequate level of protection requires an authorisation by the Commissioner.