As independent body rules international transfers of data need to comply with GDPR The European Data Protection Board (EDPB) has ruled that the exchange of personal information between public authorities under existing international agreements need to comply with the General Data Protection Regulation (GDPR). This means that all transfers of personal data to third countries, concluded before 24 May 2016, or organisations, carried out before 6 May 2016, and which complied with the applicable EU law at the time, “shall remain in force until amended, replaced or revoked”, said Andrea Jelinek, chair of the EDPB. “The EDPB deems that, in order to ensure that the level of protection of natural persons guaranteed by the GDPR and the Law Enforcement Directive (LED) is not undermined when personal data is transferred outside the Union, consideration should be given to the aim of bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case,” Jelinek added.