Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Section 3.1 Specific information on legally binding and enforceable instruments – Article 46 (2) (a) GDPR
60. Article 46 (2) (a) GDPR allows EEA public bodies to base transfers to public bodies in a third country or an international organisation on instruments concluded between them without obtaining prior authorisation from a SA. Such instruments have to be legally binding and enforceable. Therefore, international treaties, public-law treaties or self-executing administrative agreements may be used under this provision.
61. Any legally binding and enforceable instrument should encompass the core set of data protection principles and data subject rights as required by the GDPR.
62. The parties are obliged to commit themselves to putting sufficient data protection safeguards for transferring data into place. As a consequence, the agreement should also set out the way in which the receiving public body will apply the core set of basic data protection principles and data subject rights to all transferred personal data in order to ensure that the level of protection of natural persons under the GDPR is not undermined.
63. If there is no possibility to ensure effective judicial redress in legally binding and enforceable instruments so that alternative redress mechanism have to be agreed upon, EEA public bodies should consult the competent SA before concluding these instruments.
64. Even if the form of the instrument is not decisive as long as it is legally binding and enforceable, the EDPB considers that the best option would be to incorporate detailed data protection clauses directly within the instrument. If, however, this solution is not feasible due to the particular circumstances, the EDPB strongly recommends incorporating at least a general clause setting out the data protection principles directly within the text of the instrument and inserting the more detailed provisions and safeguards in an annex to the instrument.