Germany: Issued Bavarian State Commissioner for Data Protection international data transfers guidance

On 1 May 2023, the Bavarian State Commissioner for Data Protection issued a guide on international data transfers. The guide provides information on transferring personal data to recipients in third countries, which requires a two-stage review under the General Data Protection Regulation (GDPR). The first stage requires compliance with the general principles for the processing of personal data, such as lawful and transparent processing. In addition, there must be a legal basis legitimising the processing. The transfer is permissible only when all the provisions of the GDPR and the conditions stipulated in the second review stage are met. Additionally, the second stage involves assessing the legitimacy prerequisites for transferring personal data to a third country according to GDPR articles 44 and beyond. Compliance accountability extends to both review stages, which must be documented.