This working document is published on 28 November 2017. The WP29 points out that the principles set out in this working document are not addressed directly to data controllers or processors, but aim to provide guidance to the EC for the assessment of the level of data protection in third countries and international organizations.

It provides information on 1) the concept of adequacy, 2) the procedural aspect for adequacy findings under the GDPR, 3) the core general data protection principles to ensure a level of data protection that is equivalent to a country established in the EU (which must contain certain basic content and certain procedural/enforcement principles and mechanisms), and 4) essential guarantees for law enforcement and national security access to limit the interference to fundamental rights. The latter (essential guarantees) should take into account that 1) processing should have a legal basis, 2) necessity and proportionality need to be demonstrated, 3) the processing has to be subject to independent oversight, and 4) effective remedies need to be made available to individuals.