Following a public consultation, the European Data Protection Board (EDPB) has Consultation the final version of the Guidelines for data transfers to authorities in third countries. In its Guidelines the EDPB goes into more detail on Article 48 GDPR and clarifies how organizations can best assess the conditions under which they can lawfully respond to requests for Transmission personal data from authorities in third countries (i.e. non-EU countries). The Guidelines are particularly relevant for internationally operating companies.
Scope of application of the Guidelines to Article 48 GDPR
Article 48 GDPR regulates the conditions under which a controller or processor in the EU can be bound, personal data to be disclosed by order of an authority of a third country. Key message: Such orders are only legally effective if they are based on an agreement under international law, such as a bilateral or multilateral mutual legal assistance agreement. Without such an agreement, judgments or administrative decisions from third countries are generally not enforceable within the EU.
The finalized on June 4, 2025 Guidelines 02/2024 of the EDPB aim to clarify the practical significance of Article 48. They are intended to help those responsible in the EU to respond to third-country requests in accordance with the law. The focus is particularly on:
- Direct requests from third country authorities to private EU companies.
- The relationship of Article 48 to the general rules on international data transfers in Chapter V GDPR.
- Recommendations for the internal handling of such requests.
This does not include cases in which, for example, a parent company in a Third country requests data from its EU subsidiary in order to comply with an official order, although this also constitutes an international data transfer. Although these cases are not directly covered by Article 48, they are also subject to the strict requirements of Chapter V GDPR.
Two-step test mechanism ("two-step test") for third country requests
The Guidelines of the EDPB provide for a two-stage assessment of requests from third countries for the disclosure of personal data in order to meet the requirements of the GDPR systematically. This so-called "two-step test" serves as a practical tool for the structured legal classification of such requests:
Step 1: Examination of the legal basis under Article 6 GDPR
First of all, it must be clarified whether there is a legal basis at all for the Processing of personal data. A mere request or official order from a third country is not sufficient. Rather, there must be a legal basis in accordance with Article 6 (1) GDPR be given, for example:
- A legal obligation (Art. 6 para. 1 lit. c GDPR) arising from an applicable international agreement.
- A task in the public interest (Art. 6 para. 1 lit. e GDPR) if national or Union regulations permit such cooperation.
- In rare exceptional cases, a legitimate interest (Art. 6 para. 1 lit. f GDPR), whereby a strict balancing of interests must be carried out.
Step 2: Existence of a permissible transmission mechanism in accordance with Chapter V GDPR
Is the Processing permitted under Article 6, an additional transfer in accordance with the provisions of Chapter V is required:
- A Appropriateness decision of the EU Commission (Art. 45 GDPR), which provides an equivalent level of data protection in the Third country recognizes.
- Suitable guaranteesin particular through standard data protection clauses, binding corporate rules (BCR) or other instruments in accordance with Article 46 GDPR.
- In exceptional cases also a Consent or other exemptions under Article 49 GDPRwhich, however, must be interpreted narrowly.
If either the legal basis according to Article 6 GDPR or a permissible transfer mechanism in accordance with Chapter V, the disclosure of the data is not permitted. This is also illustrated by the schematic diagram in the annex to the Guidelines (p. 13), which provides for a step-by-step query. Companies are therefore well advised to establish internal procedures that map and document this two-stage mechanism. In the event of an emergency, it can then be clearly demonstrated how the data protection assessment was carried out.
What's new in version 2.0 of the Guidelines to Article 48 GDPR?
The final version 2.0 takes into account feedback from the public Consultation. In particular, it provides the following clarifications:
- Processors must inform the controller immediately if they receive a request from a third country. Exception: They are prohibited from doing so by law.
- Internal Group data requirements from a Third country (e.g. via parent companies) are not covered by Article 48, but by the general Chapter V rules.
- Legitimate interests (Art. 6 para. 1 lit. f) can only be used as a legal basis in exceptional cases. In particular, not for preventive storage for potential investigative purposes.
In addition, the EDPB clarifies that the term "judgment" or "decision" within the meaning of Article 48 GDPR cannot be assessed on the basis of formal or conceptual criteria of third country law. The only decisive factor is whether the underlying transaction is an official, sovereign measure issued by a foreign authority that imposes an obligation on a controller or processor in the EU to comply with data protection law. Transmission of personal data. The decisive factor here is not how the measure is designated or qualified in the country of origin, but rather its legally binding and enforcement-like nature and the purpose of the data collection. The protection mechanism of Article 48 GDPR therefore also applies if an official order is not titled as a "judgment" or "decision", for example, but in fact has the purpose of obligatory data disclosure.
International treaties as the linchpin
International agreements form the central link between the European data protection order and legal claims from third countries. Article 48 GDPR clearly states that the enforceability of foreign judgments or administrative acts that seek to disclose personal data by bodies based in the EU is only possible if a corresponding agreement under international law exists. Without such an agreement, there is no legal basis for the Processing in accordance with Article 6 GDPR as well as a connecting factor under transfer law within the meaning of Chapter V GDPR.
In his Guidelines the EDPB emphasizes that such agreements must not only exist formally, but must also provide for specific data protection safeguards in terms of content. These include provisions on Earmarkingproportionality and limitation of further processing as well as effective supervisory and redress systems in the third country. The agreement must explicitly regulate in which cases and under which conditions a private entity in the EU personal data directly to a foreign government agency.
Such an agreement may be considered an appropriate guarantee within the meaning of Article 46 paragraph 2 lit. a GDPR provided that it is a "legally binding and enforceable instrument between public authorities".
In the Guidelines The Second Additional Protocol to the Cybercrime Convention (CETS No. 224) is highlighted in particular. Although this is not yet in force at the time of publication, it provides an example of how future agreements could be structured. It allows third country authorities direct access to data of European companies under strict conditions, but sets clear procedural, substantive and procedural limits.
Companies are therefore obliged to check whether a corresponding agreement exists that is not only formally applicable, but also relevant and specific enough in terms of content, before disclosing any data to third country authorities. If necessary, they should consult with the responsible national ministries (e.g. Ministry of Justice, Ministry of the Interior or Ministry of Foreign Affairs) or the data protection supervisory authorities.
Classification and meaning of Article 48 GDPR for companies
The Guidelines to Article 48 GDPR are of great importance and highly relevant for companies in the European Union. They not only concern theoretical legal issues, but also have a direct practical impact on the compliance practices of companies operating in an international environment. The core message is that third country requests for the disclosure of personal data can no longer be answered informally or pragmatically. Instead, a structured, documented and legally robust approach is absolutely essential.
This results in particular from the fact that the Guidelines of the EDPB should make it bindingly clear that even official orders from third countries (e.g. from law enforcement, supervisory or security authorities) do not automatically lead to an obligation to disclose data. Rather, every company must check whether there is a suitable legal basis within the meaning of Article 6 GDPR exists and whether the conditions for a lawful transfer of data to a third country in accordance with Chapter V GDPR are fulfilled. This examination must not only be carried out formally, but also strictly in terms of substantive law, particularly with regard to the Guidelines the required balancing of interests, proportionality and Data minimization.
Reading tip: Transfer Impact Assessment safely with CNIL guidelines
Obligations to act for corporate practice
Companies should first check whether their data protection guidelines, internal directives and incident response plans meet the requirements of the new Guidelines must be met. In particular, it must be regulated how requests from third country authorities are handled, who is responsible within the company and which criteria are used for the review. It is advisable to designate central points of contact (e.g. the data protection officer or the legal department) and to introduce a standardized procedure for processing such requests.
In addition, employees, particularly in the departments Compliance, IT and Law, on the meaning of Article 48 GDPR and the new Guidelines be trained. Only awareness-raising and regular training can ensure that incorrect or premature data transfer is avoided.
The situation is particularly challenging for international corporate groups. There is often a tension between the expectations of the parent company (e.g. in the USA) and the legal obligations of the European subsidiaries. This makes it all the more important to create group-wide guidelines that meet the requirements of the GDPR and the operational realities. In critical cases, a preliminary consultation with the responsible Supervisory authority be useful.
Companies are also required to document every request from third countries, record the review process in writing and provide comprehensible reasons for the rejection or approval of a disclosure. These Documentation is also in the sense of accountability (Accountability) in accordance with Article 5(2) GDPR mandatory.
Overall, the Guidelinesthat the protection of personal data in cross-border scenarios can only be achieved through proactive Compliancelegally compliant processes and international coordination can be guaranteed.
With the final Guidelines it is clear that companies in the EU can no longer view third country inquiries merely as compliance risks. Instead, they are legally obliged to establish structured review mechanisms and align their internal processes accordingly.
Source: Guidelines 02/2024 on Article 48 GDPR - Version 2.0
Are you unsure how to assess requests from third country authorities in a legally compliant manner or how to make international data flows GDPR-compliant? Our data protection experts support you with individual advice and operational implementation. Our software also offers Ailance integrated tools for the evaluation of data transmissions, automated Documentation and for the administration of Transfer Impact Assessments (TIA). Arrange a non-binding initial consultation directly!
German 
English 
Italian 
French