(1) If all other conditions applicable to data transfers are met, the transfer of personal data to bodies in third countries or to international organizations shall be permitted if
- the body or international organization is responsible for the purposes referred to in Section 45, and
- the European Commission has adopted an adequacy decision pursuant to Article 36 (3) of Directive (EU) 2016/680.
(2) No transfer of personal data shall be permitted, despite an adequacy decision as referred to in subsection 1 no. 2 and the public interest in the data transfer to be taken into account, if in the individual case it cannot be ensured that the data will be handled appropriately in terms of data protection law and in accordance with fundamental human rights in the area of responsibility of the recipient, or if a transfer would conflict with other overriding legitimate interests of a data subject. The controller shall base its assessment on whether the recipient in the individual case guarantees appropriate protection of the transferred data.
(3) If personal data which have been transmitted or made available from another European Union Member State are to be transferred pursuant to subsection 1, the competent body of the other Member State must provide prior authorization of the transfer. Transfers without the prior authorization shall be permitted only if the transfer is necessary to prevent an immediate and serious threat to the public security of a country or to essential interests of a Member State and the prior authorization cannot be obtained in time. In the case of the second sentence, the other Member State’s body responsible for giving prior authorization shall be informed of the transfer without delay.
(4) The controller transferring data pursuant to subsection 1 shall take appropriate measures to ensure that the recipient will transfer the data onward to other third countries or other international organizations only with the prior authorization of the controller. When deciding whether to authorize the transfer, the controller shall take into account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data were originally transferred and the level of personal data protection in the third country or international organization to which the data are to be transferred onward. The transfer shall be authorized only if a direct transfer to the other third country or international organization would be lawful. The responsibility for issuing authorization may also be otherwise provided for.