European Data Protection Board clarifies rules on data requests from third countries

On June 5, 2025, the European Data Protection Board (EDPB) published the final guidelines on Article 48 of the GDPR. They clarify under which conditions personal data may be transferred to authorities outside the EU. The central message: Judgments or orders from third-country authorities are not automatically enforceable within the EU. Data transfers may take place if there is an international agreement – or, in exceptional cases, if other legal grounds can be relied upon. These exceptions must always be assessed on a case-by-case basis and interpreted restrictively.

In the revised version, new clarifications were introduced regarding the role of processors in such requests as well as group structures: if a parent company in a third country receives a request from an authority and forwards it to its EU subsidiary, the strict requirements of the GDPR apply here as well. At the same time, the EDPB presented two new training projects on data protection and artificial intelligence. The materials are aimed at legal and technical professionals and are intended to promote the responsible and lawful use of AI. The objective is to close existing skill gaps and to strengthen the development of privacy-friendly AI.

The training offers were developed within the framework of the “Support Pool of Experts” (SPE) – an initiative of the EDPB Strategy 2024–2027. It supports data protection authorities by providing common tools and access to a broad network of experts, in order to enhance their enforcement capacity across Europe.

Finally, a proposal by the European Commission to simplify record-keeping obligations (Art. 30(5) GDPR) for smaller companies was discussed. A joint opinion by the EDPB and the EDPS is expected within the next eight weeks.