ERDEM-NEWSLETTER-2018-metin

336 NEWSLETTER 2018 are located. For instance, if a company offers products and services to data subjects who are in the EU, or monitors their behavior within the EU , while not being established in the EU, the GDPR requires such company to appoint a representative in the EU as a contact person. Transfers on the basis of an Adequacy Decision The European Commission (“Commission”) has the authority to decide whether a country outside the EU or an international orga- nization ensures that an adequate level of protection for the transfer of personal data exists. Pursuant to Article 45(3), after assessing the adequacy of the level of protection, the Commission may decide, by means of implementing an act, that a third country, a territory, or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection within the meaning of paragraph 2 of this Article (45(2)). A list of the third countries, territories, and specified sectors within a third country and any international organizations that the Commission has decided that an adequate level of protection is, or is no longer ensured, shall be published in the Official Journal of the European Union, as well as on its website. Thus far, the Commission has recognized Andorra, Argen- tina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as countries that provide adequate protection 3 . In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an inter- national organization only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data sub- ject rights, and effective legal remedies for data subjects, are available. Imposing Administrative Fines For the purpose of empowering the enforcement of the rules of the GDPR, the administrative fines to be imposed in the event of any infringement of this Regulation are firm. Taking into consideration the tiered system under Article 83, each supervisory authority shall ensure 3 https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/ adequacy-protection-personal-data-non-eu-countries_en (Access date: 01.06.2018).