Skip to main navigation Skip to main content Skip to page footer
Lawyer Frank Ingenrieth logo Lawyer Frank Ingenrieth logo

EDPB Publishes Guidelines 02/2024 post-consultation version 2.1 on Article 48 GDPR

Created by Frank Ingenrieth | Reference / Update GDPR Guideline

As of June 4th, 2025, the EDPB adopted its post-consultation version of its Guidelines 02/2024 (v2.0). As of June 20th, 2025 the EDPB adopted an updated version the related Annex, upgrading the Guidelines to v2.1. It is foreseen that Guidelines 02/2024 will facilitate the processing of requests by judgements or decisions of third country courts and authorities addressing private Controllers or Processors.

TL:DR / Summary

  • EDPB adopted its post-consultation version of its Guidelines 02/2024 (v2.0)
  • Guidelines 02/2024 address a specific practical scenario, where third country courts or authorities request personal data form European private Controller or Processor to which GDPR applies pursuant Art. 3.1 GDPR, while other scenarios are excluded
  • EDPB considers Art. 48 GDPR not being a transfer mechanism by itself; consequently if requirements of Art. 48 GDPR are this does not result in any privileges
  • EDPB considers a two-step test necessary:
    • Is there at least one legal basis for the processing of the affected personal data under GDPR, and are all relevant provisions of GDPR complied with?
    • Will the specific provisions of Chapter V be complied with in respect of the transfer of personal data to the requesting third country.
  • Guidelines 02/2024 define key terminology in the context of Art. 48 GDPR, such as Judgement / Decision, Authority / Court / Tribunal, and International Agreement
  • Guidelines 02/2024 do not waive any provisions and requirements of from other legal frameworks than GDPR
  • Guidelines 02/2024 note the obligations of Processors and underline the general limited options, because Processors are prohibited to take any actions other than notifying the Controller about such request and wait for any related instructions.
Cover-Page PDF-file; EDPB Guidelines 02/2024 v2.1
Post-Consultation version (v2.1) of EDPB Guidelines 02/2024, addressing Article 48 GDPR, adopted June 2025.
Annex of EDPB Guidelines 02/2024 v2.1 (PDF)
The Annex of EDPB Guidelines 02/2024 (v2.1) provides a graphical representation of the necessary steps in case a private Controller or Processor receives a request pursuant Art. 48 GDPR.

Scope of Guidelines 02/2024

The Guidelines address a specific practical scenario, where third country courts or authorities request personal data form European private Controller or Processor to which GDPR applies pursuant Art. 3.1 GDPR. Other practically relevant scenarios are explicitly excluded from these Guidelines. 

Excluded scenarios are

  • requests addressing public bodies (public-to-public requests) even though those may also fall within the scope of Art. 48 GDPR.
  • requests addressing parent companies in the third country of origin of the court or authority, expecting the parent company to forward to and enforce the request towards their EU based subsidiary (indirect requests). The EDPB considers such requests outside the scope of Art. 48 GDPR. 

Terminology

The EDPB considered it relevant to clarify on key terminology of Art. 48 GDPR. 

  • Judgment / Decision: “The EDPB finds that the terminology used by the third country body to qualify its request as a “decision” or “judgment” is not decisive for the application of Article 48, as long as it is an official request from a third country authority.
  • Authority / Court / Tribunal: Similar to the broad understanding of Judgment/Decision, the EDPB seems to tend to a broad understanding of Authority / Court / Tribunal, provided that such body is provided with related powers by third country law where it resides. "Requests from third country authorities issued in different contexts and for different purposes would fall within the scope of the provision e.g. requests from law enforcement or national security authorities, financial regulators or public authorities responsible for approving pharmaceutical products, medical devices, etc."
  • International Agreement: In consideration of Art. 46.2 lit a) GDPR, the EDPB understand international agreement as “a legally binding and enforceable instrument between public authorities or bodies”. Such agreement may provide for either direct request public-to-private or for cooperation obligation public-to-public, subsequently affecting private. MLATs usually reflect the latter option. whereas vice versa MLATs do not necessarily comply with the requirements as of Art. 46.2 lit a) GDPR.

Applicability and Intent of Art. 48 GDPR; No Privilege

The EDPB notes that “Art. 48 GPDR applies in situations where a controller or processor in the EU receives a decision or judgment from an administrative authority or a court in a third country requiring the transfer or disclosure of personal data.” By governing the access to GDPR-protected personal data by non-EU courts and authorities, Art. 48 GDPR enshrines the European Union level of protection of individuals. 

Regardless of the means of access, by hard or virtual copy or by means of remote access, this qualifies as transfer under Chapter V GDPR. Art. 48 GDPR uses “transfer and disclosure”. Disclosure is one exemplary element of the meaning of processing under Art. 4.2. GDPR. The EDPB refers to its Guidelines 05/2021 by which it was already noted that the means of access shall not affect the legal concept of a third country transfer. 

The EDPB also notes that Art. 48 GDPR does not impose any limitations in respect of the intended processing purposes of the requesting authority or court. 

Where the transfer of personal data is not subject to a request by a third country court or authority, or where the request is not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, such transfer is not per se prohibited. However, such transfer must follow the principles and requirements as provided by GDPR.

Consequently, the EDPB states in its Guidelines, Art. 48 GDPR does not constitute a transfer mechanism in itself nor a legal basis for processing. It also states that Art. 48 GDPR does not create any privilege regardless whether the requested Controller or Processor may face adverse legal consequences if it refuses to comply with the request. It seems worth highlighting that the EDPB does not distinguish whether such consequences result from European Union or third country law. 

Required Tests and Interplay of Art. 48 with other provisions of GDPR

Because the EDPB concludes that Art. 48 GDPR does not provide any privileges in itself, it determines that a two-step test must applied in each case where personal data is being requested by third country courts or authorities. 

  • Is there at least one legal basis for the processing of the affected personal data under GDPR, and are all relevant provisions of GDPR complied with?
  • Will the specific provisions of Chapter V be complied with in respect of the transfer of personal data to the requesting third country. 

It is worth noting, that the first step - legitimacy of processing - is certainly two-fold in itself. Even though the EDPB does not explicitly refer to this scenario, the legitimacy applies to the processing at the requested party in general, and the processing by means of providing access to the requesting court or authority. it will certainly escalate complexities in cases where the general processing of the requested personal data is already illegitimate, 

The EDPB considers Art. 6.1 lit c) GDPR as legal basis for the processing of personal data by means of providing access to such data to the requesting court or authority, where the request from a third country authority "is based on an international agreement, which may give such request the effect of a legal obligation to which the controller is subject and non-compliance would have legal consequences.

The EPDB notes that only international agreements which meet the requirements as of Art. 46.2 lit a) GDPR may act as a transfer mechanism. The EDPB has provided a set of minimal elements and requirements for such international agreements in order to qualify as international agreement under Art. 46.2 lit a) GDPR.

If no suitable international agreement exists, the EDPB clarifies that the request may still be followed. However, this will require a thorough individual legal analysis. If such analysis concludes that an alternative transfer mechanism exists under Chapter V GDPR and that there will be sufficient safeguards and supplementary measures in place to enshrine the data protection level of data subjects as enshrined within the European Union, the EDPB considers that Art. 48 GDPR does not prevent from such transfers. 

Non-GDPR related requirements

The EDPB acknowledges that additional legal requirements may apply when a third country court or authority requests access. Such legal requirements may result from procedural or international agreements. The EDPB has not assessed each of such requirements individually, nor does it claim that the Guidelines provide an exhaustive legal perspective. The Guidelines only reflect the requirements under GDPR. 

Additional Remarks for Processors

Responsible for the processing of personal data remains the Controller. Consequently, the assessment of whether a request shall be followed or must be refused is an obligation of the Controller. 

However, requests may be directly addressed towards processors. In this scenario, Processors are prohibited to take any actions other than notifying the Controller about such request and wait for any related instructions. The EDPB notes that Processors may act differently, where Union law or Member State law to which the processor is subject prohibits them to inform the controller on “important grounds of public interest. See also EDPB Guidelines 07/2020

Affected GDPR Provision(s) and Terms

Transfers or disclosures not authorised by Union law

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Art. 4.1 GDPR)
  • ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (Art. 4.2 GDPR)
  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; (Art. 4.7 GDPR)
  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Art. 4.8 GDPR)

Related Files

Related Links