Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Section 1.1  Purpose

1. This document seeks to provide guidance as to the application of Articles 46 (2)(a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission. Public bodies may choose to use these mechanisms, which the GDPR considers more appropriate to their situation, but are also free torely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.

2. The guidelines are intended to give an indication as to the expectations of the European Data Protection Board (EDPB) on the safeguards required to be put in place by a legally binding and enforceable instrument between public bodies pursuant to Article 46 (2) (a) GDPR or, subject to authorisation from the competent supervisory authority (SA), by provisions to be inserted into administrative arrangements between public bodies pursuant to Article 46 (3) (b) GDPR. The EDPB strongly recommends parties to use the guidelines as a reference at an early stage when envisaging concluding such instruments or arrangements.

3. The guidelines are to be read in conjunction with other previous work done by the EDPB (including endorsed documents by its predecessor, the Article29 Working Party (“WP29”)) on the central questions of territorial scope and transfers of personal data to third countries. The guidelines will be reviewed and if necessary updated, based on the practical experience gained from the application of the GDPR.

4. The present guidelines cover international data transfers between public bodies occurring for various administrative cooperation purposes falling within the scope of the GDPR. As a consequence and in accordance with Article 2 (2) of the GDPR, they do not cover transfers in the area of public security, defence or state security. In addition, they do not deal with data processing and transfers by competent authorities for criminal law enforcement purposes, since this is governed by a separate specific instrument, the law enforcement Directive. Finally, the guidelines only focus on transfers between public bodies and do not cover transfers of personal data from a public body to a private entity or from a private entity to a public body.