Answer given by Mr Reynders on behalf of the European Commission

As noted by the Honourable Members, the adequacy decision[1] regarding Israel provides, at Article 2, that it should be applied in accordance with international law.

This article shall be read in light of Recital 14 that further clarifies that ‘the adequacy findings pertaining to this decision refer to the State of Israel, as defined in accordance with international law’ and that ‘onward transfers to a recipient outside the State of Israel, as defined in accordance with international law, should be considered as transfers of personal data to a third country’.

This means that the territorial scope of application of this decision is limited to the internationally recognised, pre-1967 borders of the State of Israel. It also means that this decision cannot be relied upon for transfers of personal data between the EU and the Occupied Territories.

Under Article 58 of the General Data Protection Regulation (GDPR)[2], national data protection authorities have notably the power to suspend data flows to a recipient in a third State if not in line with the requirements of EU data protection law.

As regards the ongoing review of the adequacy decision, such a review, as required by the article 45 and Article 97 of the GDPR, will evaluate all relevant aspects of the functioning of the adequacy decision.

It will in particular draw on the relevant case-law of the Court of Justice of the EU and the guidance provided by the European Data Protection Board[3].

• [1] Commission decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (OJ L 27, 1.2.2011, p. 39‐42).
• [2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1‐88).
• [3] See European Data Protection Board Adequacy Referential, available at:
  https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en