Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities ("DPAs"), in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the European Union to business operators in Japan. The Commission should also be informed about any indications that the actions of Japanese public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security, including any oversight bodies, do not ensure the required level of protection.

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. At the same time, as explained by the Court of Justice in the Schrems judgment (148) and recognised in Article 58(5) of the Regulation, where a DPA questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (149).