Article 8
Assessing the adequacy of the data protection offered by a State, territory, specified sector in a State, or international body
- The States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection are listed in Annex 1.
- When assessing whether a State, a territory, a specified sector in a State or an international body guarantees an adequate level of data protection, the following criteria in particular shall be considered:
- a. the international obligations of the State or international body, in particular in relation to data protection;
- b. whether it respects the rule of law and human rights;
- c. the legislation applicable, in particular to data protection, its implementation and the relevant case law;
- d. that data subjects’ rights and redress are effectively guaranteed;
- e. the effective functioning of one or more independent authorities in the State concerned that are responsible for data protection or to which an international body is accountable and that have sufficient powers and responsibilities.
- The Federal Data Protection and Information Commissioner (FDPIC) shall be consulted in the course of each assessment. The assessments of international bodies or foreign authorities responsible for data protection may be taken into account.
- The adequacy of the data protection shall be reassessed periodically.
- The assessments shall be made public.
- If the assessment under paragraph 4 or other information show that an adequate level of data protection is no longer guaranteed, Annex 1 shall be amended; this shall have no effect on disclosures of data already carried out.