Section 42 Nigeria Data Protection Act 2023
Section 42 of the Nigeria Data Protection Act 2023 is about Adequacy of protection. It is under Part VIII (Cross-border Transfers of Personal Data) of the Act.
(1) A level of protection is adequate for the purposes of this section if it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in this Act.
(2) The adequacy of protection referred to in subsection (1) shall be assessed taking into account the —
(a) availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law ;
(b) existence of any appropriate instrument between the Commission and a competent authority in the recipient jurisdiction that ensures adequate data protection ;
(c) access of a public authority to personal data ;
(d) existence of an effective data protection law ;
(e) existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers ; and
(f ) international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.
(3) The Commission shall issue guidelines as to the assessment of adequacy and the factors set out under subsection (2).
(4) The Commission may determine whether a country, region or specified sector within a country, or standard contractual clauses, affords an adequate level of protection under subsection (1).
(5) The Commission may approve binding corporate rules, codes of conduct, certification mechanisms or similar instruments for data transfer proposed to it, where the Commission is satisfied that such instruments meet appropriate standards of data protection in accordance with the objectives of this Act.
(6) The absence of a determination by the Commission under subsection (4) or (5) with respect to a country, territory, sector, binding corporate rules, contractual clause, code of conduct, or certification mechanism shall not imply the adequacy of the protections afforded by it.
(7) The Commission may make a determination under subsection (4) based on adequacy decision made by a competent authority of other jurisdictions, where such decision have taken into account factors similar to those listed in this section.
