Designated Countries

Countries or territories that have been officially determined to provide adequate data protection, allowing personal data to be transferred there without additional safeguards. Under GDPR, these are countries with adequacy decisions from the European Commission. Under other laws, similar designations may exist using different terminology. Designated countries currently include Argentina, Canada (for commercial organizations under PIPEDA), Switzerland, the United Kingdom, Japan, New Zealand, South Korea, and others. Once a country is designated, data can flow there as freely as within the originating jurisdiction—for example, EU data can transfer to Switzerland under essentially the same rules as transfers between EU member states. Organizations should understand which countries are designated under applicable laws, monitor changes to designation status (designations can be suspended or revoked), and ensure that if using designated country transfers, the recipient is actually subject to adequate protections (not all entities in designated countries necessarily qualify).