Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

EDPB Guidelines for Controllers and Processors in the Event of Requests from Third Countries

22 hours ago
9 minRead time
edpb guidelines third countries
Share This Article
Share Post

On 4 June 2025, the European Data Protection Board (hereinafter, “EDPB“) adopted the final version of Guidelines 02/2024 on Article 48 of the GDPR (hereinafter, the “EDPB Guidelines“). The purpose of the EDPB Guidelines is to clarify the scope of Article 48 of the GDPR โ€“ which governs the limits on the recognition and enforcement of judicial or administrative decisions from third countries requiring the transfer of personal data โ€“ in order to provide practical mechanisms for companies called upon to respond to requests for the transfer or disclosure of personal data from authorities of third countries.

Scope of Application of Article 48 of the GDPR

Pursuant to Article 48 of the GDPR: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.

Although the provision refers exclusively to “judgments” or “decisions”, according to the EDPB Guidelines, the terminology used by the third countries to qualify its request is not relevant; the crucial element is that the request comes from a public authority of a third country and concerns access to personal data. Indeed, according to the EDPB, the scope of Article 48 includes any method through which a controller or processor in the EU could make data accessible to a third country. In other words, any official request from a public authority of a third country โ€“ regardless of its purpose and context โ€“ addressed to a private entity established in the EU falls within the scope of application of Article 48 of the GDPR.

Obligations and Preliminary Assessments for EU-based Entities

If a request is received from a third country authority, the controller is required to carefully assess the request to determine whether it should be complied with. Where the request is addressed to the processor, the latter is required, without undue delay, to inform the controller and comply with its instructions, unless Union or Member State law prohibits such communication for reasons of important public interest.

That said, in deciding whether the transfer is permissible, the following must be carefully assessed:

  1. compliance with Article 6 of the GDPR, relating to the need to identify an appropriate legal basis for the processing; and

  2. compliance with the requirements of Chapter V of the GDPR, regarding transfers of personal data to third countries or international organisations. Indeed, it is necessary to identify one of the grounds expressly indicated in Chapter V of the GDPR in order to carry out an international transfer to third countries.

1. Legal Basis

The first step is to identify the correct legal basis. In particular:

  • Where there is a legal obligation to share data arising from an international agreement, the legal basis is compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR;

  • Where no legal obligation arises from an international agreement, except for the contractual performance basis under Article 6(1)(b) โ€“ which is expressly excluded โ€“ the other potentially applicable legal bases are: Consent, pursuant to Article 6(1)(a) of the GDPR, subject to careful assessment of its applicability to the specific case; Performance of a task carried out in the public interest, pursuant to Article 6(1)(e) of the GDPR, in situations where disclosure, while not mandatory under an international agreement, is permitted under EU or Member State law; Protection of the vital interests of the data subject, pursuant to Article 6(1)(d) of the GDPR; Legitimate interest, pursuant to Article 6(1)(f) of the GDPR. In such cases, it is also essential to carry out a Legitimate Interest Assessment (LIA).

2. Legal Grounds for the Transfer (Chapter V)

Once the legal basis has been identified, it is necessary to identify one of the grounds legitimizing the transfer to third countries, including:

  • Adequacy decision by the European Commission (pursuant to Article 45 of the GDPR): if the European Commission has adopted an adequacy decision attesting to a level of protection equivalent to that offered by the GDPR, the transfer is permissible;

  • Appropriate safeguards (pursuant to Article 46 of the GDPR): in the absence of an adequacy decision, additional safeguards must be identified to permit the transfer. Pursuant to Article 46(2)(a), such safeguards may be provided โ€“ inter alia โ€“ by “a legally binding and enforceable instrument between public authorities or bodies“, i.e., an international agreement under Article 48. However, the mere existence of such an international agreement is not sufficient: it is essential that the agreement contains appropriate safeguards for the transfer. Where such safeguards are absent, the international agreement is insufficient, and additional measures must be adopted (e.g., standard contractual clauses adopted by the European Commission or by a supervisory authority, certification mechanisms).

  • Derogations (Article 49 of the GDPR): in the absence of an applicable adequacy decision or appropriate safeguards, it is possible to rely on the derogations under Article 49 of the GDPR. These allow for data transfers in a limited number of specific situations (e.g., where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims in judicial proceedings), even without the safeguards mentioned above. However, these derogations must be interpreted narrowly, and a thorough case-by-case assessment is essential to determine their applicability.

In conclusion:

  • If an international agreement exists that provides both the legal basis of compliance with a legal obligation and appropriate safeguards, the transfer may take place;

  • If an international agreement exists that provides the legal basis of compliance with a legal obligation but does not include appropriate safeguards, another ground for transfer under Chapter V of the GDPR must be identified;

  • If no international agreement exists, both the legal basis and the ground for the transfer under Chapter V of the GDPR must be identified.

Conclusions

The EDPB Guidelines provide important clarification on requests for personal data from authorities of third countries emphasizing the absence of any form of automatism and the obligation to comply with the principles of the GDPR when transferring data to such authorities.

Every request must be the subject of a careful and thorough assessment, aimed at verifying, on the one hand, the existence of a legal basis for the processing in accordance with Article 6 of the GDPR, and, on the other hand, the presence of a valid ground for the transfer to the third country pursuant to Chapter V of the GDPR.

On a similar topic, you can read the article Meta โ‚ฌ 1.2 bn GDPR fine, what to do with data transfers now? and you can read about “Transfer” DLA Piper’s legal tech tool to support data transfers HERE.

(Visited 8 times, 1 visits today)
Tags:
0LikesShare Post