Transfer bases for authorities and the public sector

Authorities and public organisations can transfer personal data to international organisations or the public bodies of third countries based on a European Commission decision on the adequacy of data protection. If no adequacy decision has been given, data can be transferred with administrative arrangements or international agreements between public bodies. Public organisations are also free to use the other transfer bases provided for in Article 46 of the General Data Protection Regulation should they wish. The US adequacy decision cannot be used as an instrument for the transfer of personal data between public sector entities.

Authorities and public bodies can transfer data

  1. through a legally binding and enforceable instrument between public authorities or bodies under Article 46(2)(a) of the GDPR; or
  2. by virtue of the provisions referred to in Article 46(3)(b) of the GDPR, to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

Such instruments can be either bilateral or multilateral. The data protection authority evaluates administrative arrangements on a case-by-case basis since they require the supervisory authority's permission. Administrative arrangements are processed according to the consistency mechanism provided for in Article 63.

Additional information on transfers of personal data on the basis of an adequacy decision

Additional information on transfer bases under Article 46

The required safeguards must be determined before the transfer

The transferring party must assess whether the third country guarantees an essentially equivalent level of protection for the personal data being transferred as that ensured within the Union. The recipient of the data can participate in the assessment if necessary. The purpose of the assessment is to determine whether the safeguards listed in the international agreement or administrative arrangement can be implemented in practice.

The European Data Protection Board (EDPB) has issued general instructions for safeguards to be incorporated into international agreements or administrative arrangements between public bodies. The purpose of the safeguards is to ensure that the level of personal data protection is not substantially decreased when the personal data is transferred out of the EEA or to an international organisation.

For more detailed instructions and additional information on the bases for transfer of data by public bodies, please see the following EDPB guideline:

The guidelines cover international data transfers between public bodies occurring for various administrative cooperation purposes falling within the scope of the GDPR. As a consequence, they do not cover transfers in the area of public security, defence or state security. In addition, they do not deal with data processing and transfers by competent authorities for criminal law enforcement purposes falling within the scope of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security.