Under the FADP in force from September 2023, the Federal Council is responsible for deciding whether a State, a territory, a specific sector in a State or an international body offers an adequate level of data protection. The task of assessing the adequacy of the level of protection falls to the Federal Office of Justice.
Article 8 of the DPO sets out a number of criteria that must be taken into account in the assessments:
a. international obligations, in particular in relation to data protection;
b. the rule of law and respect for human rights;
c. the legislation applicable, in particular to data protection, its implementation and the relevant case law;
d. data subjects’ rights and redress are effectively guaranteed;
e. the effective functioning of one or more independent authorities that are responsible for data protection and that have sufficient powers and responsibilities.
Annex 1 to the DPO contains a list of States with an adequate level of data protection. This list, which is binding, is reproduced in the table below.
It should be noted that under the FADP in force until August 2023, the Federal Data Protection and Information Commissioner (FDPIC) had drawn up a list of States offering an adequate level of data protection, but it was still up to the data exporter to assess whether data was adequately protected in another State and to ensure that the data concerned was in fact protected. This is no longer the case under the new regime.
List of States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection
State, territory, specified sector within a State or international body |
Additional information and documentation: |
|---|---|
Germany* |
|
Andorra*** |
|
Argentina*** |
|
Austria* |
|
Belgium* |
|
Bulgaria*** |
|
Canada*** |
An adequate level of data protection is guaranteed if the Canadian Federal Act on Personal Information Protection and Electronic Documents of 13 April 2000 or the act of a Canadian province that largely corresponds to this Federal Act applies to the private sphere. The Federal Act applies to personal data that is collected, processed or disclosed in the course of commercial activities, irrespective of whether it relates to organisations such as associations, partnerships, individuals or trade unions or undertakings regulated by federal law such as facilities, works, undertakings or business activities that fall within the legislative authority of the Canadian Parliament. The provinces of Quebec, British Columbia and Alberta have issued an act that largely corresponds to the Federal Act; the provinces of Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia have issued an act that largely corresponds to this act in relation to health data. In all Canadian provinces, the Federal Act applies to all personal data that are collected, processed or disclosed by undertakings regulated by federal law, including data on employees of these undertakings. The Federal Act also applies to personal data transferred to another province or another country in the course of commercial activities. |
Cyprus*** |
|
Croatia*** |
|
Denmark* |
|
Spain* |
|
Estonia* |
|
Finland* |
|
France* |
|
Gibraltar*** |
|
Greece* |
|
Guernsey*** |
|
Hungary* |
|
Isle of Man*** |
|
Faroe Islands*** |
|
Ireland*** |
|
Iceland* |
|
Israel*** |
|
Italy* |
|
Jersey*** |
|
Latvia* |
|
Liechtenstein* |
|
Lithuania* |
|
Luxembourg* |
|
Malta* |
|
Monaco*** |
|
Norway* |
|
New Zealand*** |
|
Netherlands* |
|
Poland* |
|
Portugal* |
|
Czech Republic* |
|
Romania*** |
|
United Kingdom** |
|
Slovakia* |
|
Slovenia* |
|
Sweden* |
|
Uruguay*** |
|
* The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with Directive (EU) 2016/680 (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89).
** The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with an implementing decision of the European Commission in which the adequacy of data protection is established in accordance with Directive (EU) 2016/680.
*** The assessment of the adequacy of data protection does not include the disclosure of personal data in terms of the cooperation provided for under Directive (EU) 2016/680.
Table: Updated to 1st September 2023
Last modification 11.07.2023
