Adopted on 02 December 2024 - For public consultation

EXECUTIVE SUMMARY

Article 48 GDPR provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.

The purpose of these guidelines is to clarify the rationale and objective of this article, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.

The main objective of the provision is to clarify that judgments or decisions from third country authorities cannot automatically and directly be recognised or enforced in an EU Member State, thus underlining the legal sovereignty vis-a-vis third country law. As a general rule, recognition and enforceability of foreign judgements and decisions is ensured by applicable international agreements.

Regardless of whether an applicable international agreement exists, if a controller or processor in the EU receives and answers a request from a third country authority for personal data, such data flow is a transfer under the GDPR and must comply with Article 6 and the provisions of Chapter V.

An international agreement may provide for both a legal basis (under Article 6(1)(c) or 6(1)(e)) and a ground for transfer (under Article 46(2)(a)).

In the absence of an international agreement, or if the agreement does not provide for a legal basis under Article 6(1)(c) or 6(1)(e), other legal bases could be considered. Similarly, if there is no international agreement or the agreement does not provide for appropriate safeguards under Article 46(2)(a), other grounds for transfer could apply, including the derogations in Article 49.

The European Data Protection Board

Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

Having regard to Article 12 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING GUIDELINES

1. INTRODUCTION

  1. Article 48 GDPR – with the title “Transfers or disclosures not authorised by Union law” – provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.
  2. The purpose of these guidelines is to clarify the rationale and objective of Article 48 GDPR, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.
  3. The provision is part of Chapter V of the GDPR on “Transfers of personal data to third countries or international organisations”. This means that it has to be read in conjunction with Article 44 GDPR, which clearly states that “all provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. In addition, Article 48 should be read in conjunction with Recital 102 GDPR, which makes clear that the GDPR “(...) is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects”.

2. WHAT IS THE SCOPE OF THESE GUIDELINES?

  1. These guidelines focus on requests aiming at the direct cooperation between a third country public authority and a private entity in the EU (as opposed to other scenarios where personal data is exchanged directly between public authorities in the EU and in third countries respectively, e.g. on the basis of a mutual legal assistance treaty). Such requests may come from all kinds of public authorities, including those supervising the private sector such as banking regulators and tax authorities, as well as authorities dealing with law enforcement and national security.