During its latest plenary, the European Data Protection Board (EDPB) published guidelines on Article 48 of the GDPR about data transfers to third country authorities and approved a new European Data Protection Seal.
Assessing data transfer requests by third country authorities
Organisations often receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in a crime case, to check financial transactions or approve new medications.
When a European organisation receives a request for a transfer of data from an authority from outside the EEA, it must comply with the GDPR. In its guidelines, the EDPB concentrates on Article 48 of the GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. The guidance aims to help organisations decide if they can lawfully transfer personal data to third country authorities when they are asked to do so.
Judgments or decisions from third country authorities cannot automatically be recognised or enforced in the EEA. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer (such as for example between the UK and the EU). If there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.
The consultation on the guidelines ends on 27 January 2025.
Approval of EU Data Protection Seal
The EDPB also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now apply across the EEA and as a European Data Protection Seal. GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency aims to help people trust the product, service, process or system for which organisations process their personal data.
