Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Section 1.2  General rules applicable to international transfers

5. According to Article 44 of the GDPR any transfer of personal data to third countries or international organisations must, in addition to complying with Chapter V of the GDPR, also meet the conditions of the other provisions of the GDPR. Each transfer must comply with the data protection principles in Article 5 GDPR, be lawful in accordance with Article 6 GDPR and comply with Article 9 GDPR in case of special categories of data. Hence, a two-step test must be applied: first, a legal basis must apply to the data processing as such together with all relevant provisions of the GDPR; and as a second step, the provisions of Chapter V of the GDPR must be complied with.

6.The GDPR specifies in its Article 46 that “in the absence of a decision pursuant to Article 45 (3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Such appropriate safeguards may be provided for by a legally binding and enforceable instrument between public bodies (Article 46 (2) (a) GDPR) or, subject to authorisation from the competent SA, by provisions to be inserted into administrative arrangements between public bodies which include enforceable and effective data subject rights (Article 46 (3) (b) GDPR).

7. Aside from this solution and in its absence, Article 49 of the GDPR also offers a limited number of specific situations in which international data transfers may take place when there is no adequacy finding by the European Commission. In particular, one exemption covers transfers necessary for important reasons of public interest recognised in Union law orin the law of the Member State to which the controller is subject, including in the spirit of reciprocity of international cooperation. However, as explained in previous guidance issued by the EDPB, the derogations provided by Article 49 GDPR must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive.