The European Data Protection Board (EDPB) clarifies the rules for sharing personal data with government agencies outside the European Economic Area (EEA). The EDPB plenary also approved AVG certification.
In a rapidly digitizing world, organizations may receive requests from government agencies in other countries to share personal data. For example, to collect evidence of a crime, verify financial transactions or approve new drugs.
If a European organization receives a request from an agency in a country outside the EU (a third country), then the organization must comply with the General Data Protection Regulation (AVG). The new guidelines from the EDPB help organizations determine whether and how to share personal data in such a situation.
The guidelines specifically address requests arising from a court ruling or decision. In fact, EU countries do not automatically recognize such a ruling or decision from a third country. To still share personal data, there must be an international agreement, for example. An organization must also always comply with the other rules for international transfer of personal data.
Anyone who wishes to do so may, until January 27, 2025 respond to the guidelines. After this consultation, the EDPB will adopt the final guidelines.
During the plenary session, the EDPB also approved Brand Compliance certification criteria. In September 2023, the national certification criteria were already approved for the Netherlands. Now these criteria are also applicable in the rest of Europe and as "European data protection seal.
A AVG certificate helps organizations demonstrate compliance with privacy laws. This gives people confidence in the product, service, process or system for which an organization processes their personal data.
The Personal Data Authority (AP) is one of the privacy regulators in the EDPB.
