• laws relating to data protection in the country or international organisation • profession rules and security measures which are complied with in that country or international organisation Adequacy Levels Assessment The GDPR Article 46 sets conditions for data transfer which are reflected in most laws including this Act and POPIA, Section 72. These conditions were also discussed in the famous case before the European Court of Justice involving the Ireland Data Protection Commissioner v Facebook Ireland Ltd 59 Adequate level of protection is reached through a clear assessment of various elements and surrounding circumstances all relevant for data protection, but not only what is provided in the data protection law. *• The observance of the rule including respect for human rights • Analysis of relevant laws, and legislation including security criminal laws. • Access of public authorities to personal information. • Data protection rules, professional rules and security measures. • Judicial precedents/case law on enforcement of data protection laws. • Effective administrative and judicial remedies for data subjects on data transfer. • Presence of independent and functional one or more data supervisory/protection Authority: o Capable of enforcing compliance with data protections laws. o Sufficient powers to enforce laws. o Capable of assisting data subjects in exercising their rights. o International cooperation with other data supervisory authorities. Section 28 (3) of the Act provides that the Authority shall provide categories of data processing and transfers to other countries which is not authorised. Further, there is oversight and control in the implementation of this provision by the Cyber Security and Monitoring Centre as per Section 28 (4). These provisions might be interpretated as encouraging data localisation, and therefore restricting the movement or processing of personal data outside Zimbabwe. The Act lists circumstances in which transfer takes place under Section 28. However, a data controller might need to take additional steps to satisfy themselves on the provision of adequate data protection in the third country or international organisation. If that is not possible, then other means to transfer data might be used such as binding corporate rules (BCR) or standard contract clauses (SCC) which confirm that there are appropriate technical and organisational safeguards for data protection of a similar standing in the recipient country or organisation. BINDING CORPORATE RULES Chad Gore Technologies has an operating unit and company in Zambia which is solely responsible for data warehousing and providing of data processing tools and resources for Chad Gore Technologies. Chad Gore Technologies will develop data protection policies that will be adhered to by all the companies for transfers of personal data outside Zimbabwe. The BCR must, however, be approved by DPA. Multinational companies usually use BCRs. • International law commitments through conventions and treaties such as those that relate to data protection, for instance, the Council of Europe Convention on Personal Data, 59 32 M I S A Z I M B A B W E • G U I D E T O T H E Facebook Case C-311/18. Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2