DATA PROTECTION IN DECEMBER 2024

By Mugurel Olariu, RPD protectie date

In the plenary session of 2/3 December 2024, the EDPB adopted several working tools, among which we would like to highlight for industry operators the Guidelines no. 2/2024 on Article 48 of the GDPR [1].

Article 48 of the GDPR – entitled “Transfers or disclosures not authorised by Union law” – provides that: “Any judgment of a court or any decision of an administrative authority in a third country requiring a controller or processor to transfer or disclose personal data may be recognised or enforced in any manner only if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer in accordance with this Chapter”.

The purpose of these guidelines is to clarify the rationale and objective of Article 48 of the GDPR, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical advice for EU controllers and processors who may receive requests from third country authorities to disclose or transfer personal data.

These guidelines focus on requests that involve direct cooperation between a public authority in a third country and a private entity in the EU (as opposed to other scenarios where personal data are exchanged directly between public authorities in the EU and third countries, respectively, for example on the basis of a mutual assistance treaty). Such requests can come from all types of public authorities, including those supervising the private sector, such as banking regulators and tax authorities, as well as authorities dealing with law enforcement and national security.

Article 48 applies in situations where the controller or processor in the EU receives a decision or judgment from an administrative authority or a court in a third country requiring the transfer or disclosure of personal data. The wording of the provision, “court”, “tribunal” and “administrative authority”, refers to a public body in a third country. The EDPB notes that the terminology used by the third country public body to qualify its request as a ‘decision’ or ‘judgment’ is not decisive for the application of Article 48, as long as it is a formal request from a third country authority.

Article 48 is part of Chapter V of the GDPR on ‘Transfers of personal data to third countries or international organisations’ and should be read in conjunction with Article 44 of the GDPR, which provides that ‘any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are met by the controller and the processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation’. Furthermore, Recital 115 of the GDPR clarifies that transfers should only be permitted if the conditions of the GDPR are met. This means that any transfer or disclosure of personal data in response to a request from an authority in a third country requires a legal basis for the processing (Article 6 of the GDPR) and compliance with the requirements for transfers of personal data to third countries or international organisations (Chapter V of the GDPR).

The annex outlines the procedural steps to support the correct determination and qualification of the steps to carry out transfers of personal data to third countries, namely:

  1. Is the request based on a judgment or decision of a court or tribunal or an administrative authority of a third country?
  2. Is the judgment or decision based on an applicable international agreement?
  3. Does the international agreement provide a legal basis under Article 6(1)(c) or Article 6(1)(e) GDPR for the data transfer?
  4. Does the international agreement contain appropriate safeguards in accordance with Article 46(2)(a) GDPR and the EDPB Guidelines 2/2020?

Please note that only affirmative answers to all four questions make the data transfer to the third country possible, as a guarantee of compliance with any relevant provisions of the GDPR.

Otherwise, if any of the first three questions are answered in the negative, the two-step test applies – the lawful transfer of data is carried out in compliance with the provisions of Article 6 GDPR and the provisions of Chapter V GDPR on the conditions of the transfer. In case of a negative answer to question 4, you must review/identify another reason for the transfer in Chapter V.

If it is not possible to identify a legal basis in Article 6 GDPR and a reason for the transfer in Chapter V GDPR, the transfer cannot take place lawfully.

[1] https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-022024-article-48-gdpr_ro

Articolul precedentSBC Summit Rio Expands with the Launch of the Dedicated Affiliate Leaders Summit
Articolul următorAffPapa Unwrapped: 2024 in Review

ARTICOLE SIMILAREDE LA ACELAȘI AUTOR