Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Section 3.2  Specific information on administrative arrangements  – Article 46 (3) (b) GDPR

65. The GDPR in its Article 46(3)(b) also provides for alternative instruments in the form of administrative arrangements, e.g. Memorandum of Understanding “MOU”, providing protection through the commitments taken by both parties in order to bring their common arrangement into force.

66. In this respect, Article 46 (1) and recital 108 of the GDPR specify that these arrangements have to ensure enforceable data subject rights and effective legal remedies. Where safeguards are provided for in administrative arrangements that are not legally binding, authorisation by the competent SA has to be obtained.

67. It should be carefully assessed whether or not to make use of non-legally binding administrative arrangements to provide safeguards in the public sector, in view of the purpose of the processing and the nature of the data at hand. If data protection rights and redress for EEA individuals are not provided for in the domestic law of the third country, preference should be given to concluding a legally binding agreement. Irrespective of the type of instrument adopted, the measures in place have to be effective to ensure the appropriate implementation, enforcement and supervision.

68. In administrative arrangements specific steps have to be taken to ensure effective individual rights, redress and oversight. In particular, to ensure effective and enforceable rights, a non-binding instrument should contain assurances from the public body receiving the EEA personal data that individual rights are fully provided by its domestic law and can be exercised by EEA individuals under the same conditions as is the case for citizens and residents of the concerned third country. The same applies if administrative and judicial redress is available to EEA individuals in the domestic legal framework of the receiving public body.

69. If this is not the case, individual rights should be guaranteed by specific commitments from the parties, combined with procedural mechanisms to ensure their effectiveness and provide redress to the individual. Such procedural mechanisms may, for example, include commitments of the parties to inform each other of requests from EEA individuals and to settle disputes or claims in a timely fashion.

70. In addition, in case such disputes or claims cannot be resolved in an amicable way between the parties themselves, effective redress to the individual should be provided by alternative mechanisms, for example through a possibility for the individual to have recourse to an alternative dispute resolution mechanism, such as arbitration or mediation. Such alternative dispute resolution mechanism should be binding unless this is impossible due to the specific status of the parties which might, e.g., be the case for international organisations. 

71. Depending on the case at hand, a combination of all or some of the above measures should be provided for in the administrative agreement in order to ensure effective redress. Other measures not included in these guidelines could also be acceptable as long as they provide for effective redress.

72. Each administrative arrangement developed in accordance with Article 46 (3) (b) GDPR will be examined by the competent SA on a case by case basis, followed by the relevant EDPB procedure, if applicable.The competent SA will base its examination on the general recommendations set out in these guidelines, but might also ask for more guarantees depending on the specific case.