On 4 June 2025, the European Data Protection Board adopted its final Guidelines on Article 48 of the GDPR. These Guidelines confirm and clarify a key but often underappreciated rule: a foreign authority cannot simply compel an EU-based organisation to hand over personal data.

With cross-border regulatory investigations, discovery requests, and enforcement actions becoming increasingly common, understanding how to handle data access requests from non-EU authorities is now essential. These Guidelines bring legal certainty to a difficult area—particularly for multinationals, cloud providers, and legal or compliance teams responding to subpoenas, administrative orders, or inter-group requests from outside the EU.

This article summarises what Article 48 says, what the new Guidelines clarify, what changed after public consultation, and what organisations need to do in practice.

What Article 48 GDPR Says

Article 48 states that:

In other words, a foreign order - whether it comes from a court (including an international arbitration court!), a prosecutor, or a regulator - cannot be used as a grounds for transferring personal data from the EU unless it is supported by an international agreement in force between the EU (or a Member State) and the third country (MLAT - mutual legal assistance treaty). Article 48 GDPR applies regardless of whether the foreign decision is legally binding in the country it has been issued in.

If there is no MLAT in place, Article 48 does not allow the transfer. However, that does not end the analysis. The request may still be assessed under the other provisions of Chapter V of the GDPR.

The Two-Step Test

The Guidelines restate that any disclosure of personal data to a third country in response to a foreign authority’s request must satisfy two separate requirements:

1. A legal basis for processing under Article 6 GDPR; and

2. A valid transfer mechanism under Chapter V (Articles 45–49).

This test applies even where an international agreement is in place. The presence of an agreement may support both the Article 6 legal basis and the transfer ground, but it is never sufficient on its own.

When Article 48 Applies

The Guidelines apply to any situation where an EU-based controller or processor receives a binding request or decision from a third-country authority requiring them to disclose personal data. Common examples include:

• Civil or criminal subpoenas issued by courts in the United States;

• Orders for discovery in international arbitration;

• Regulatory information requests from authorities in China, India, or Brazil;

• Cross-border tax or anti-corruption investigations;

• Requests passed through corporate structures, such as a U.S. parent company forwarding a demand to an EU subsidiary.

Importantly, the Guidelines confirm that even when the request is routed internally, for example from a non-EU parent company to an EU-based group entity, it would still qualify as a transfer under Chapter V. The fact that the request came from “within the group” does not remove the obligation to comply with GDPR transfer rules.

What Changed After Public Consultation

Several key clarifications were introduced in Version 2.0 of the Guidelines following the December 2024 consultation round:

• Processor obligations are now explicit. When a processor receives a request from a non-EU authority, it must inform the controller “without undue delay” and await instructions. Acting independently is a breach of the GDPR.

• Clarification on group structures. Requests passed from a third-country parent company to an EU affiliate based on a foreign decision are still treated as transfers under Chapter V.

• Stronger guidance on enforceability. The Guidelines now explain that a foreign decision being “binding” in its own jurisdiction has no consequence unless it meets the EU standard of enforceability, including judicial oversight and compatibility with fundamental rights.

• Annex with practical steps. A new annex lists the actions that controllers and processors should take when they receive such a request, providing a clear internal workflow for assessment, documentation, and escalation.

International Agreements and Chapter V Transfer Grounds

If an international agreement (such as an MLAT) exists, it may provide:

• A legal obligation under Article 6(1)(c); and

• A transfer mechanism under Article 46(2)(a), provided it contains appropriate safeguards aligned with the Charter of Fundamental Rights and GDPR principles.

However, if the agreement lacks such safeguards, it cannot be used as a transfer mechanism, and the controller must look to alternative Chapter V options.

In many cases, neither adequacy nor appropriate safeguards will be available, and organisations will consider derogations under Article 49. The Guidelines reconfirm that these are to be interpreted narrowly and applied only as a last resort.

Using the Legal Claims Derogation

One of the most commonly invoked derogations is Article 49(1)(e), which allows transfers that are “necessary for the establishment, exercise or defence of legal claims.”

The Guidelines reiterate that this derogation:

• Must be used only on an occasional basis (not systematically),

• Requires a close and specific link to an identified legal claim or procedure (judicial, administrative, or out-of-court),

• Requires strict necessity - transfers must be limited to what is essential,

• Requires prior assessment of alternatives (e.g. anonymisation, pseudonymisation, redaction).

Importantly, the existence of a foreign order is not enough. The controller must independently assess whether the requested transfer meets the above threshold and must document that assessment.

Practical Steps for EU Controllers and Processors

The Annex to the Guidelines outlines a practical approach that organisations should embed into their workflows. In summary:

1. Identify the nature of the request. Is it a formal decision from a third-country authority?

2. Check for an international agreement. If one applies, assess whether it creates a legal obligation and includes sufficient safeguards.

3. Determine a legal basis under Article 6 GDPR. If the request is not covered by an agreement, assess whether another legal basis applies - this may be challenging.

4. Identify a valid transfer ground under Chapter V. Consider adequacy, appropriate safeguards (e.g. SCCs), or a derogation.

5. Document the decision. Maintain detailed records of the assessment, including why a transfer was allowed or refused.

6. Respond appropriately. If the request cannot be fulfilled under GDPR, the controller should refer the authority to formal channels (e.g. MLAT).

7. Notify the supervisory authority if required. Particularly in cases of conflicting obligations under foreign law.

What EU Organisations Should Do Now

Organisations receiving data access demands from outside the EU should:

• Review and update internal procedures to reflect the new Guidelines;

• Ensure legal, compliance, and privacy teams understand the two-step test;

• Train processors and service providers on their notification duties;

• Create documentation templates for analysing and recording these requests;

• Avoid relying on Article 49 unless strictly necessary and justifiable;

• Consult the competent supervisory authority where uncertainty arises.

Conclusion

The EDPB’s final Guidelines on Article 48 do not introduce new obligations, but they clarify and systematise an area of compliance that many organisations struggle with in practice.

The message is clear: foreign court orders and administrative decisions do not override EU data protection law. Transfers of personal data to third-country authorities must comply with GDPR. Where no international agreement or appropriate transfer mechanism is available, controllers must use Article 49 derogations sparingly, and only when strict necessity is demonstrated and documented.

For the full Guidelines (Version 2.0, adopted 4 June 2025), see here.