GRI

EDPB clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification

News Data protection Guidance
Date: 3rd Dec, 2024 Source: European Data Protection Board Country: European Union Original Source

Brief

"On December 03, the European Data Protection Board issued an update regarding EDPB clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification. The guidelines clarify how organisations can best assess under which conditions they can lawfully respond to requests from public authorities in other countries to share personal data. The new opinion also approved a European Data Protection Seal, making the Brand Compliance national certification criteria applicable across Europe."

Brussels, 03 December – During its latest plenary, the European Data Protection Board (EDPB) published guidelines on Art.48 GDPR about data transfers to third country authorities and approved a new European Data Protection Seal.
EDPB helps organisations assess data transfer requests by third country authorities
In a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications.
When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether they can lawfully transfer personal data to third country authorities when asked to do so.
Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.*
The guidelines are subject to public consultation until 27 January 2025.
Approval of EU Data Protection Seal
During the plenary meeting, the Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board already adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now be applicable across Europe and as a European Data Protection Seal.
GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency helps people trust the product, service, process or system for which organisations process their personal data.

Note to editors:
* The transfer must comply with Art.6 GDPR and the provisions of Chapter V.
An international agreement may provide for both a legal basis under Art. 6(1) (c) or 6(1) (e) GDPR and a ground for transfer under Art. 46(2) (a) GDPR.

Highlights content goes here...

Purpose

The European Data Protection Board (EDPB) has published guidelines on Article 48 GDPR, which provides clarity on how organizations can lawfully respond to requests from third-country authorities for data transfers. The guidelines aim to help organizations assess and comply with the General Data Protection Regulation (GDPR) when transferring personal data to non-European countries. Furthermore, the EDPB has approved a new European Data Protection Seal, which will serve as a recognized certification criteria across Europe.

Effects on Industry

The publication of these guidelines is expected to have significant effects on industries that frequently interact with third-country authorities, such as financial institutions, healthcare providers, and e-commerce companies. The clarity provided by the EDPB on how to assess data transfer requests will help organizations ensure compliance with GDPR regulations, thereby avoiding potential fines and reputational damage. Additionally, the introduction of a European Data Protection Seal will promote transparency and trust among consumers regarding data processing activities.

Relevant Stakeholders

The stakeholders affected by these guidelines include:

  • Organisations that frequently interact with third-country authorities, such as financial institutions, healthcare providers, and e-commerce companies

  • Consumers whose personal data is processed by these organisations

  • Data protection authorities responsible for enforcing GDPR regulations in European countries

Next Steps

To comply with the new guidelines, organisations must:

  1. Review their current practices regarding data transfer requests from third-country authorities.

  2. Assess whether they can lawfully respond to such requests based on the EDPB’s guidelines.

  3. Implement necessary measures to ensure compliance with GDPR regulations when transferring personal data to non-European countries.

  4. Consider obtaining the European Data Protection Seal as a recognized certification criteria for their data processing activities.

Any Other Relevant Information

The EDPB’s guidelines are subject to public consultation until January 27, 2025. Organisations are encouraged to participate in this consultation process to provide feedback and suggestions on how to improve these guidelines. The new European Data Protection Seal will be applicable across Europe, promoting transparency and trust among consumers regarding data processing activities.

European Data Protection Board

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Maintenance of Good Practice Certificate Queries
Date: 4th Feb, 2025 Source: National Health Surveillance Agency (Anvisa) Country: Brazil
News Healthcare & Pharma Guidance
Are your organisation’s edge devices secure?
Date: 5th Feb, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
How EASA certified Safran’s ENGINeUS 100 electric engine
Date: 4th Feb, 2025 Source: European Union Aviation Safety Agency (EASA) Country: European Union
News Aviation & Aerospace Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales