icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Directive 2016/680/EU - Police and Criminal Justice Authorities Directive (also known as Law Enforcement Directive (LED Directive))RecitalsChapter I General provisions (arts. 1-3)Article 1 Subject-matter and objectivesArticle 2 ScopeArticle 3 DefinitionsChapter II Principles (arts. 4-11)Article 4 Principles relating to processing of personal dataArticle 5 Time-limits for storage and reviewArticle 6 Distinction between different categories of data subjectArticle 7 Distinction between personal data and verification of quality of personal dataArticle 8 Lawfulness of processingArticle 9 Specific processing conditionsArticle 10 Processing of special categories of personal dataArticle 11 Automated individual decision-makingChapter III Rights of the data subject (arts. 12-18)Article 12 Communication and modalities for exercising the rights of the data subjectArticle 13 Information to be made available or given to the data subjectArticle 14 Right of access by the data subjectArticle 15 Limitations to the right of accessArticle 16 Right to rectification or erasure of personal data and restriction of processingArticle 17 Exercise of rights by the data subject and verification by the supervisory authorityArticle 18 Rights of the data subject in criminal investigations and proceedingsChapter IV Controller and processor (arts. 19-34)Section 1 General obligations (arts. 19-28)Article 19 Obligations of the controllerArticle 20 Data protection by design and by defaultArticle 21 Joint controllersArticle 22 ProcessorArticle 23 Processing under the authority of the controller or processorArticle 24 Records of processing activitiesArticle 25 LoggingArticle 26 Cooperation with the supervisory authorityArticle 27 Data protection impact assessmentArticle 28 Prior consultation of the supervisory authoritySection 2 Security of personal data (arts. 29-31)Article 29 Security of processingArticle 30 Notification of a personal data breach to the supervisory authorityArticle 31 Communication of a personal data breach to the data subjectSection 3 Data protection officer (arts. 32-34)Article 32 Designation of the data protection officerArticle 33 Position of the data protection officerArticle 34 Tasks of the data protection officerChapter V Transfers of personal data to third countries or international organisations (arts. 35-40)Article 35 General principles for transfers of personal dataArticle 36 Transfers on the basis of an adequacy decisionArticle 37 Transfers subject to appropriate safeguardsArticle 38 Derogations for specific situationsArticle 39 Transfers of personal data to recipients established in third countriesArticle 40 International cooperation for the protection of personal dataChapter VI Independent supervisory authorities (arts. 41-49)Section 1 Independent status (arts. 41-44)Article 41 Supervisory authorityArticle 42 IndependenceArticle 43 General conditions for the members of the supervisory authorityArticle 44 Rules on the establishment of the supervisory authoritySection 2 Competence, tasks and powers (arts. 45-49)Article 45 CompetenceArticle 46 TasksArticle 47 PowersArticle 48 Reporting of infringementsArticle 49 Activity reportsChapter VII Cooperation (arts. 50-51)Article 50 Mutual assistanceArticle 51 Tasks of the BoardChapter VIII Remedies, liability and penalties (arts. 52-57)Article 52 Right to lodge a complaint with a supervisory authorityArticle 53 Right to an effective judicial remedy against a supervisory authorityArticle 54 Right to an effective judicial remedy against a controller or processorArticle 55 Representation of data subjectsArticle 56 Right to compensationArticle 57 PenaltiesChapter IX Implementing acts (art. 58)Article 58 Committee procedureChapter X Final provisions (arts. 59-65)Article 59 Repeal of Framework Decision 2008/977/JHAArticle 60 Union legal acts already in forceArticle 61 Relationship with previously concluded international agreements in the field of judicial cooperation in criminal matters and police cooperationArticle 62 Commission reportsArticle 63 TranspositionArticle 64 Entry into forceArticle 65 AddresseesDone at
Page Overview
Related
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 19th April 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 36 Transfers on the basis of an adequacy decision

Member States are required to ensure that transfers of personal data to third countries or international organisations only occur if the European Commission determines that an adequate level of protection is in place. This process requires consideration of various factors, including the rule of law, human rights, relevant legislation, the effectiveness of data protection enforcement, and the existence of independent supervisory authorities. The Commission must evaluate these criteria and periodically review its decisions on adequacy every four years.

If it is found that a third country or organisation no longer ensures adequate protection, the Commission has the authority to repeal, amend, or suspend the decision through implementing acts. Urgent situations may allow for immediate implementations without retroactive effect. Finally, the Commission must publish a list of third countries and organisations with current adequacy determinations in the Official Journal of the European Union.

PreviousNext
Version status: Entered into force | Document consolidation status: No known changes
Version date: 5 May 2016 - onwards
Version 2 of 2

Article 36 Transfers on the basis of an adequacy decision

1. Member States shall provide that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are transferred;

PreviousNext