Following a public consultation, the European Data Protection Board (EDPB) has adopted the final version of the guidelines for data transfers to authorities in third countries. In its guidelines, the EDPB elaborates on Article 48 GDPR and clarifies how organizations can best assess under which conditions they can lawfully respond to requests for transfer of personal data from authorities in third countries (i.e. non-EU countries). The guidelines are particularly relevant for companies operating internationally.
Scope of application of the guidelines on Article 48 GDPR
Article 48 GDPR regulates the conditions under which a controller or processor in the EU can be obliged to disclose personal data on the order of an authority of a third country. Key message: Such orders are only legally effective if they are based on an international agreement, such as a bilateral or multilateral mutual legal assistance agreement. Without such an agreement, judgments or administrative decisions from third countries are generally not enforceable within the EU.
EDPB Guidelines 02/2024, finalized on 4 June 2025, aim to clarify the practical significance of Article 48. They are intended to help those responsible in the EU to respond to third-country requests in accordance with the law. The focus is particularly on:
- Direct requests from third country authorities to private EU companies.
- The relationship of Article 48 to the general rules for international data transfers in Chapter V GDPR.
- Recommendations for the internal handling of such requests.
Cases in which, for example, a parent company in a third country requests the data from its EU subsidiary in order to comply with an official order are not covered, although this also constitutes an international data transfer. Although these cases are not directly covered by Article 48, they are also subject to the strict requirements of Chapter V GDPR.
Two-step test mechanism ("two-step test") for third country requests
The EDPB guidelines provide for a two-step test for the assessment of requests from third countries for the disclosure of personal data in order to systematically meet the requirements of the GDPR. This so-called "two-step test" serves as a practical tool for the structured legal classification of such requests:
Step 1: Checking the legal basis in accordance with Article 6 GDPR
First of all, it must be clarified whether there is a legal basis for processing personal data in the specific case. A mere request or official order from a third country is not sufficient. Rather, there must be a legal basis in accordance with Article 6(1) GDPR, for example:
- A legal obligation (Art. 6 para. 1 lit. c GDPR) arising from an applicable international agreement.
- A task in the public interest (Art. 6 para. 1 lit. e GDPR), if national or Union regulations permit such cooperation.
- In rare exceptional cases, a legitimate interest (Art. 6 para. 1 lit. f GDPR), whereby a strict balancing of interests must be carried out.
Step 2: Existence of a permissible transfer mechanism in accordance with Chapter V GDPR
If processing is permitted under Article 6, an additional transfer is required in accordance with the provisions of Chapter V. Possible bases are:
- An adequacy decision by the EU Commission (Art. 45 GDPR), which recognizes an equivalent level of data protection in the third country.
- Appropriate safeguards, in particular through standard data protection clauses, binding corporate rules (BCR) or other instruments pursuant to Article 46 GDPR.
- In exceptional cases, consent or other exceptions under Article 49 GDPR, which must be interpreted narrowly.
If either the legal basis according to Article 6 GDPR or a permissible transfer mechanism according to Chapter V is missing, the disclosure of the data is not permitted. This is also illustrated by the schematic diagram in the annex to the guidelines (p. 13), which provides for a step-by-step query. Companies are therefore well advised to establish internal procedures that map and document this two-stage mechanism. In the event of an emergency, it can then be clearly demonstrated how the data protection assessment was carried out.
What is new in version 2.0 of the guidelines on Article 48 GDPR?
The final version 2.0 takes into account feedback from the public consultation. In particular, it provides the following clarifications:
- Processors must inform the controller immediately if they receive a third country request. Exception: They are prohibited from doing so by law.
- Intra-group data requests from a third country (e.g. via parent companies) are not covered by Article 48, but by the general Chapter V rules.
- Legitimate interests (Art. 6 para. 1 lit. f) can only be used as a legal basis in exceptional cases. In particular, not for preventive storage for potential investigative purposes.
In addition, the EDPB clarifies that the term "judgment" or "decision" within the meaning of Article 48 GDPR may not be assessed on the basis of formal or conceptual criteria of third country law. The only decisive factor is whether the underlying process is an official, sovereign measure issued by a foreign authority that is intended to create an obligation to transfer personal data to a controller or processor in the EU. The decisive factor here is not how the measure is designated or qualified in the country of origin, but rather its legally binding and enforcement-like nature and its objective of data collection. The protection mechanism of Article 48 GDPR therefore also applies if an official order is not titled as a "judgment" or "decision", for example, but in fact has the purpose of obligatory data transfer.
International treaties as the linchpin
International agreements form the central link between the European data protection regulation and legal claims from third countries. Article 48 GDPR clearly states that the enforceability of foreign judgments or administrative acts seeking disclosure of personal data by bodies based in the EU is only possible if a corresponding international agreement exists. Without such an agreement, there is neither a legal basis for the processing pursuant to Article 6 GDPR nor a connecting factor under transfer law within the meaning of Chapter V GDPR.
In its guidelines, the EDPB emphasizes that such agreements must not only exist formally, but must also provide for specific data protection safeguards in terms of content. These include provisions on purpose limitation, proportionality and restriction of further processing as well as effective supervisory and redress systems in the third country. The agreement must explicitly regulate in which cases and under which conditions a private body in the EU may transfer personal data directly to a foreign state body.
Such an agreement can serve as a suitable guarantee within the meaning of Article 46(2)(a) GDPR, provided that it is a "legally binding and enforceable instrument between public authorities".
The guidelines particularly emphasize the Second Additional Protocol to the Cybercrime Convention (CETS No. 224). Although this is not yet in force at the time of publication, it provides an example of how future agreements could be structured. It allows third-country authorities direct access to data of European companies under strict conditions, but sets clear procedural, substantive and procedural limits.
Companies are therefore obliged to check whether a corresponding agreement exists that is not only formally applicable, but also relevant and specific enough in terms of content, before disclosing any data to third country authorities. If necessary, they should consult with the responsible national ministries (e.g. Ministry of Justice, Ministry of the Interior or Ministry of Foreign Affairs) or the data protection supervisory authorities.
Classification and significance of Article 48 GDPR for companies
The guidelines on Article 48 GDPR are of great importance and highly relevant for companies in the European Union. They not only concern theoretical legal issues, but also have a direct practical impact on the compliance practices of companies operating in an international environment. The core message is that third country requests for the disclosure of personal data can no longer be answered informally or pragmatically. Instead, a structured, documented and legally robust approach is absolutely essential.
This results in particular from the fact that the EDPB guidelines make it bindingly clear that even official orders from third countries (e.g. from law enforcement, supervisory or security authorities) do not automatically lead to an obligation to disclose data. Rather, every company must check whether there is a suitable legal basis within the meaning of Article 6 GDPR and whether the requirements for a lawful data transfer to a third country in accordance with Chapter V GDPR are met. This assessment must not only be carried out formally, but also strictly in terms of substantive law, in particular with regard to the balancing of interests, proportionality and data minimization required by the guidelines.
Reading tip: Carry out transfer impact assessments safely with CNIL guidelines
Obligations to act for corporate practice
Companies should first check whether their data protection guidelines, internal directives and incident response plans meet the requirements of the new guidelines. In particular, it must be regulated how requests from third country authorities are handled, who is responsible within the company and which criteria are used for the review. It is advisable to designate central points of contact (e.g. the data protection officer or the legal department) and to introduce a standardized procedure for processing such requests.
In addition, employees, particularly in the Compliance, IT and Legal departments, must be trained on the importance of Article 48 GDPR and the new guidelines. Only by raising awareness and providing regular training can it be ensured that incorrect or hasty data transfers are avoided.
The situation is particularly challenging for international corporate groups. There is often a tension between the expectations of the parent company (e.g. in the USA) and the legal obligations of the European subsidiaries. This makes it all the more important to create group-wide guidelines that meet the requirements of the GDPR and the operational realities. In critical cases, prior consultation with the competent supervisory authority can also be useful.
Companies are also required to document every request from third countries, record the review process in writing and provide comprehensible reasons for the rejection or approval of a disclosure. This documentation is also mandatory in terms of accountability in accordance with Article 5 (2) GDPR.
Overall, the guidelines make it clear that the protection of personal data in cross-border scenarios can only be guaranteed through proactive compliance, legally compliant processes and international coordination.
With the final guidelines, it is clear that companies in the EU can no longer view third-country inquiries merely as compliance risks. Instead, they are legally obliged to establish structured review mechanisms and align their internal processes accordingly.
Source: Guidelines 02/2024 on Article 48 GDPR - Version 2.0
Are you unsure how to assess requests from third country authorities in a legally compliant manner or how to make international data flows GDPR-compliant? Our data protection experts support you with individual advice and operational implementation. Our software also offers Ailance integrated tools for the evaluation of data transfers, automated documentation and the management of Transfer Impact Assessments (TIA). Arrange a non-binding initial consultation directly!
English 
German 
Italian 
French