A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements:
- the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred,
- the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules,
- the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.