🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 48 GDPR: Transfers or disclosures not authorized by Union law

Home GDPR articles decrypted Article 48 GDPR: Transfers or disclosures not authorized by Union law

Article 48 GDPR: Transfers or disclosures not authorized by Union law

Article 48 of the GDPR states that judicial or administrative decisions emanating from a third country cannot alone justify a transfer of personal data to a non-EU country, unless there is an international agreement or other legal basis compliant with the GDPR.

Article 48 of the GDPR explained

This article aims to protect the legal autonomy of the European Union in terms of data protection. So:

  • A request for communication of data by a non-European authority (e.g. court, administration...) is only valid if it is based on an international agreement (e.g. mutual legal assistance treaty);
  • In the absence of such an agreement, a transfer based solely on this request is prohibited by the GDPR.

Why is this article important for your GDPR compliance?

This article is essential for prevent abusive extraterritorial transfers, in particular those based on foreign laws incompatible with European principles (such as certain American laws). It strengthens it union sovereignty over data protection.

How to comply with Article 48 of the GDPR?

  • Refuse any request for data transfer from a third country in the absence of a recognized legal basis (agreement, adequacy decision, standard clauses...);
  • Document any requests received and responses provided;
  • Train your teams to manage these specific requests;
  • Consult your DPO or a lawyer before any transmission in this context.

Examples of application of Article 48 of the GDPR

  • A company refuses to transfer data from a European customer to a foreign authority due to lack of international agreement;
  • A company receives an injunction from a US court: it uses Article 48 to require a recognized legal framework;
  • An organization postpones any transmission until authorization is obtained from the CNIL or the competent authority.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject