European Union: European Data Protection Boardadopted guidelines on data transfers to third country authorities (Art. 48 GDPR)

On 5 June 2025, the European Data Protection Board (EDPB) published the final version of its guidelines on Article 48 of the General Data Protection Regulation (GDPR), following the close of public consultation in January 2025. The guidelines clarify that decisions or judgments from third-country authorities requiring the transfer or disclosure of personal data by EU-based controllers or processors are not directly enforceable unless supported by an international agreement, such as a mutual legal assistance treaty. The guidelines outline the legal conditions under which such requests may be responded to, emphasising that any resulting transfer must be based on a valid legal basis under Article 6 GDPR and comply with Chapter V requirements, including adequacy decisions, appropriate safeguards, or exceptional derogations. The final text provides practical recommendations for organisations and reiterates the primacy of EU data protection standards in cross-border data access scenarios.