On June 5, 2025, the European Data Protection Board (EDPB) published the final version of its guidelines on Article 48 of the General Data Protection Regulation (GDPR), offering legal clarity on how organizations should handle data transfer requests from non-EU authorities. The Board also introduced two new training modules focused on artificial intelligence and data protection as part of its Support Pool of Experts (SPE) initiative.
The finalized *Guidelines 02/2024 on Article 48 GDPR* provide detailed instructions for controllers and processors in the EU on how to respond to requests from third-country courts or administrative bodies for personal data. The guidelines reaffirm that such requests are not automatically enforceable under EU law unless backed by an international agreement—such as a mutual legal assistance treaty—that includes specific safeguards aligned with EU standards.
“Article 48 reinforces the legal sovereignty of the EU by ensuring that third-country laws cannot override GDPR protections,” the EDPB wrote. “Such transfers must satisfy both Article 6 GDPR and the conditions set out in Chapter V.”
The guidelines highlight that even in the absence of an applicable international agreement, data transfers may be permissible under exceptional circumstances using alternative legal grounds, such as Article 49 derogations. However, these must be interpreted narrowly and applied only on a case-by-case basis.
Accompanying this guidance, the EDPB unveiled two SPE training projects: “Law & Compliance in AI Security and Data Protection” and “Fundamentals of Secure AI Systems with Personal Data.” The former is designed for legal and compliance professionals such as Data Protection Officers (DPOs), while the latter targets technical personnel working with high-risk AI systems.
The projects were developed in collaboration with the Hellenic Data Protection Authority to help address Europe’s growing skills gap in AI governance. Both training modules are now available as PDF resources, with plans to launch editable, community-based versions on the EDPB’s Git repository later this year.
Additionally, the Board discussed a pending request from the European Commission for a joint EDPB-European Data Protection Supervisor (EDPS) opinion on simplifying record-keeping obligations for SMEs and mid-sized companies under Article 30(5) GDPR. A joint opinion is expected within eight weeks.
These developments reflect the EDPB’s evolving strategy to provide practical, forward-looking tools that support both legal compliance and technical literacy in an increasingly AI-driven regulatory landscape.
Need Help?
If you’re concerned or have questions about how to navigate the EU or global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
