Authorisation Decisions for Transfers

Transferring personal data to countries outside the EU/EEA or to international organisations can cause additional risks, as in some cases, data protection rules in the recipient's jurisdiction may not exist or may not be up to European standards. For this reason, there are specific rules on such transfers in Chapter V of Regulation (EU) 2018/1725.

The EDPS explained the different possibilities for safeguarding such transfers in a position paper on the transfer of personal data to third countries and international organisations by EU institutions and bodies. While that paper is still about the old Regulation (EC) 45/2001, the general architecture of possible safeguards remains the same. The preferred option is  to transfer to recipients in jurisdictions recognised as providing adequate protection. The second-best option is safeguarding such transfers either with standard contractual clauses or basing them on an international agreement including appropriate safeguards. Such transfers do not require a specific authorisation from the EDPS.

Another possible safeguard is to create 'ad hoc' contractual clauses between the exporting European Institution, body, or agency (EUI) and the recipient. A further possibility is to insert provisions into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. Should EUIs wish to use either of those possibilities, they have to obtain an authorisation from the EDPS before (see Articles 48(3) and 58(3) (e) and (f) of Regulation (EU) 2018/1725).

Finally, there are derogations for some specific situations (see Article 50 of Regulation (EU) 2018/1725; the European Data Protection Board has analysed the equivalent rules in Article 49 of the GDPR in its Guidelines 2/2018).

The EUIs cannot rely on Article 48(3) of the Regulation without having consulted and obtained an authorisation from the EDPS. These authorisations are the successor to authorisations under Article 9(7) of the old Regulation (EC) 45/2001. Authorisations granted by the EDPS under that Article of the old Regulation remain valid until amended, replaced or repealed (see Article 48(4) of Regulation (EU) 2018/1725).

The EDPS publishes these decisions. Please find them below.



EDPS Decision on the request for prior authorisation of the Working Arrangement establishing Operational Cooperation between Frontex and the Republic of Niger

EDPS Decision on the request for prior authorisation of the Working Arrangement establishing Operational Cooperation between the European Border and Coast Guard Agency and the Directorate for Territorial Surveillance of the Republic of Niger



Available languages: English

EDPS Decision authorising, subject to conditions, the use of the administrative arrangement between Fusion For Energy and the ITER International Fusion Energy Organization

This decision concerns the authorisation, subject to conditions, of the Administrative Arrangement (AA) under Article 48(3)(b) of Regulation 2018/1725 to be concluded between the European Joint Undertaking for ITER and the Development of Fusion Energy (‘F4E’) and the ITER International Fusion Energy Organization (‘ITER’) in the context of the implementation of the ITER Agreement ,notably as regards the hosting of F4E staff on the ITER site.


Available languages: English