International data transfers are once again under the spotlight – whether in the context of the EU-U.S. Data Privacy Framework or growing concerns about data access by authorities in countries like China. In this context, the European Data Protection Board (EDPB) adopted its final Guidelines on Article 48 GDPR on 4 June 2025.

These guidelines clarify how organisations in the EU should handle requests from courts or authorities in third countries for the disclosure or transfer of personal data – a highly relevant issue for internationally active companies.

What is Article 48 GDPR about?

Article 48 makes it clear: judgments or administrative decisions from third countries are only valid within the EU if based on an international agreement (such as a mutual legal assistance treaty (MLAT)). In the absence of such an agreement, data must not be transferred solely on the basis of a foreign request.

What does this mean in practice?

If an EU-based organisation receives a direct request from a third-country authority, the following steps must be assessed:

Two-Step Assessment:

1. Legal basis for the data processing (under Article 6 GDPR), such as:

• Art. 6(1)(c) – legal obligation based on an international agreement
• Art. 6(1)(e) – task carried out in the public interest
• Art. 6(1)(f) – legitimate interests (only in exceptional cases)

2. Legal basis for the international data transfer (under Chapter V GDPR), such as:

• Adequacy decision (Art. 45)
• Appropriate safeguards, e.g. Standard Contractual Clauses (Art. 46)
• Derogations for specific situations (Art. 49)

Further key points

• Direct requests from authorities without an underpinning international agreement are problematic. The recommended approach: refer the requesting authority to national competent authorities, particularly for law enforcement or regulatory matters.
• Article 48 is not a legal basis for data transfers. It clarifies that third-country decisions do not have automatic legal effect in the EU.
• Sharing data “just in case” without a valid legal basis is not permitted.

Conclusion

The new EDPB Guidelines on Article 48 provide much-needed legal clarity for organisations faced with data access requests from outside the EU. Any such request must be carefully assessed to ensure there is both:

• a valid legal basis for the processing, and
• a permissible ground for the transfer.

Otherwise, companies risk non-compliance with EU data protection law.

Tip: Businesses should review and, if necessary, update their internal processes and templates for handling third-country data requests.