EDPB Publishes Final Version of Guidelines on Data Transfers to Third-Country Authorities

EDPB Publishes Final Version of Guidelines on Data Transfers to Third-Country Authorities

In an increasingly interconnected world, the transfer of personal data to third countries has become a common practice. However, this practice poses significant challenges in terms of data protection, especially when the authorities of those third countries request access to such data.

To address this issue, the European Data Protection Board (EDPB) has published the final version of its guidelines on Article 48 of the General Data Protection Regulation (GDPR). These guidelines, adopted on June 4, 2025, aim to clarify the conditions under which data controllers and processors in the European Union (EU) can legally respond to these requests, while ensuring that the level of data protection guaranteed by the GDPR is not compromised.

What are the EDPB Guidelines on Article 48 of the GDPR?

The EDPB guidelines on Article 48 of the GDPR are an essential document that provides a detailed interpretation of this provision of the GDPR. Article 48 states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a data controller or processor to transfer or disclose personal data may only be recognized or enforced if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or a Member State.

The main objective of these guidelines is to protect personal data from the extraterritorial application of third-country laws that may violate international law and impede the protection of natural persons guaranteed by the GDPR. In essence, the EDPB seeks to ensure that the decisions of foreign authorities are not automatically recognized or enforceable in the EU, underscoring the EU’s legal sovereignty vis-à-vis the laws of third countries.

Need to Comply with the GDPR

The EDPB guidelines make it clear that any transfer or disclosure of personal data in response to a request from a third-country authority must comply with the requirements of the GDPR. This implies that there must be a legal basis for the processing of the data, in accordance with Article 6 of the GDPR, and that the requirements for transfers of personal data to third countries or international organizations must be met, according to Chapter V of the GDPR.

The EDPB emphasizes that a request from a foreign authority does not in itself constitute a legal basis for the processing or a reason for the transfer. Organizations must carry out a thorough assessment to determine whether there is a valid legal basis for the transfer, such as the data subject’s consent, the need to comply with a legal obligation, or the existence of a legitimate interest.

In this regard, the guidelines point out that Article 6(1)(c) of the GDPR, which allows the processing of data when necessary to comply with a legal obligation, may be an appropriate legal basis if there is an applicable international agreement that obliges the organization to respond to the request of the third-country authority. However, if no such agreement exists, organizations must explore other legal bases and ensure that all the requirements of Chapter V of the GDPR are met.

It is necessary for both the controller and the processor to understand their roles and responsibilities under the GDPR when faced with these requests. The controller determines the purposes and means of the processing of personal data, while the processor processes the data on behalf of the controller. Both must collaborate to ensure compliance with the GDPR.

Tools for International Data Transfer

Chapter V of the GDPR establishes several tools that can be used to transfer personal data to third countries legally. These tools include:

1. Adequacy decisions: the European Commission may determine that a third country guarantees a level of data protection essentially equivalent to that guaranteed in the EU. In these cases, the transfer of data to that third country does not require any additional authorization.
2. Appropriate safeguards: In the absence of an adequacy decision, organizations may resort to appropriate safeguards, such as standard contractual clauses approved by the European Commission, binding corporate rules, or approved codes of conduct.
3. Derogations for specific situations: in exceptional situations, when it is not possible to resort to an adequacy decision or appropriate safeguards, Article 49 of the GDPR establishes a series of derogations that allow the transfer of data in specific circumstances, such as when it is necessary to protect the vital interests of the data subject or for the exercise of legal actions.

In summary, the EDPB’s new guidelines on Article 48 of the GDPR are an essential tool for any organization operating in Europe and handling data that may be requested by authorities outside the EU. It is not just about complying with a regulation, but about protecting the fundamental rights of individuals and maintaining trust in an increasingly globalized digital environment. Adapting to these guidelines may seem complex, but it is a necessary step towards building a more secure and transparent data ecosystem for all.

At Letslaw we are expert lawyers in digital law, so we can advise you on everything you need.