The territorial scope of General Data Protection Regulation1
(the GDPR or the Regulation) is
determined by Article 3 of the Regulation and represents a significant evolution of the EU data
protection law compared to the framework defined by Directive 95/46/EC2.
In an increasingly digital world, adherence to Data Protection by Design and by Default requirements
plays a crucial part in promoting privacy and data protection in society. It is therefore essential that
controllers take this responsibility seriously and implement the GDPR obligations when designing
This document seeks to provide guidance as to the application of Articles 46 (2) (a) and 46 (3) (b) of
the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public
authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission.