EDPB Publishes Guidelines on GDPR Data Transfers to Non-European Authorities
On December 3rd, the European Data Protection Board (EDPB) published new guidelines regarding Article 48 of the General Data Protection Regulation (GDPR), focusing on data transfers to authorities in non-European countries. These guidelines aim to assist organizations in evaluating requests from foreign public authorities for personal data sharing, which can be crucial for various purposes such as crime investigation, financial transaction verification, or medication approval.
When a European organization receives a request for data transfer from a third country authority, it must adhere to GDPR regulations. The EDPB’s guidelines clarify the conditions under which organizations can lawfully respond to such requests. They emphasize that any response to a request for personal data constitutes a data transfer, thus triggering the application of GDPR. If there is no international agreement that provides a suitable legal basis or safeguards, organizations may need to consider other legal bases or grounds for transfer on a case-by-case basis.
The guidelines are currently open for public consultation until January 27, 2025. Organizations are encouraged to review these guidelines to ensure they are prepared to navigate the complexities of international data transfers while maintaining compliance with GDPR.
