The European Data Protection Board (EDPB) has adopted guidelines on Article 37 of the Law Enforcement Directive (LED). Guidelines explain the legal requirements applicable to transfers of personal data by EU authorities to third countries and international organisations. Crucially, any transfer must guarantee an equivalent level of protection, never falling below the EU’s standard.
The Guidelines provide a comprehensive overview of the legal obligations and practical considerations for drafting legally binding instruments for transfers per Article 37 of the GDPR. They also address the role of national data protection authorities in negotiations and implementation review. Moreover, they provide actionable advice such as elements to include in instruments and examples of categories and assessments of transfers.
Key points:
- The guidelines clarify the legal standard for appropriate safeguards that competent authorities need to apply when transferring personal data.
- They serve as a reference for EU countries when concluding or amending transfer instruments under Article 37 of the LED.
- The guidelines also address the role of national data protection authorities and the accountability obligations of data controllers.
- They emphasize the need for an essentially equivalent level of protection for personal data transfers and provide practical guidance on legally binding instruments and assessments by controllers.
The Guidelines is subject to public consultation.