The European Data Protection Board (EDPB) has adopted the final version of the guidelines on data transfers to third country authorities: Guidelines 02/2024 on Article 48 of the GDPR (Guidelines). In addition, the EDPB presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Also discussed was the European Commission’s request for a joint EDPB- European Data Protection Supervisor (EDPS) opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR.
Data transfers to third country authorities
The Guidelines explain that judgements or decisions from third country authorities cannot be automatically or directly recognised or enforced in an EU Member State, reaffirming that a request from a foreign authority does not inherently constitute a legal basis for the processing or a ground for the transfer.
The EDPB explains: “judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.” For example, the updated guidelines address the situation where the recipient of a request is a processor and provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe.
While other bases under Article 6 may be suitable, the EDPB clarified that Article 6(1)(b) - which provides a lawful basis where processing is necessary for the performance of a contract – cannot be relied upon by a private entity in the EU as an appropriate legal basis to answer a request for transfer or disclosure from a third country authority.
Upskilling and reskilling on AI and data protection
EDPB presented two new Support Pool of Experts projects:
- Law and Compliance in AI Security and Data Protection - aimed at data privacy officers and privacy professionals, covering basic concepts of AI and the issues raised for data protection law and risks that take place at various stages of the life cycle of an AI-based tool; and
- Fundamentals of Secure AI Systems with Personal Data - aimed at cybersecurity professionals, developers or deployers of high-risk AI systems, to provide training materials on AI and data protection.
The EDPB aim of these projects is “to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.”
Simplification of record-keeping obligation under the GDPR
Finally, the EDPB discussed the European Commission's request for a joint opinion by the EDPB and the EDPS on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter in the coming months.
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-06-09-15-26-40-109-6846fd301267d63f9de60e97.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-05-30-13-28-45-457-6839b28d910f51d7657895ce.jpg)
/Passle/611cdc4cfac91e0bc434389f/SearchServiceImages/2025-06-05-18-19-57-219-6841dfcdba3a430c3e22fcbf.jpg)