Lex.

Data Protection Directive

Article 25

Untitled

Principles

1\. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2\. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3\. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4\. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5\. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6\. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission's decision.

Holdings

/
C-362/146 Oct 2015

Maximillian Schrems v Data Protection Commissioner

A Commission adequacy decision under Article 25(6) of Directive 95/46, such as Decision 2000/520, does not prevent a Member State supervisory authority under Article 28 from examining a person's claim that a transfer of personal data relating to that person from a Member State to the third country concerned does not adequately protect that person's rights and freedoms, where the person argues that the third country's law and practice do not ensure an adequate level of protection.

C-101/016 Nov 2003

Criminal proceedings against Bodil Lindqvist.

Where an individual in a Member State uploads personal data to an internet page hosted by a natural or legal person established in that State or in another Member State, there is no transfer of data to a third country under Article 25 of Directive 95/46, even if the data can be accessed on the internet by people in third countries.