Art. 44

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

No specific provision

Section 4b
Transfer of personal data abroad and to supranational or international bodies

(1) The transfer of personal data to bodies

1.  in other Member States of the European Union,

2.  in other states parties to the Agreement on the European Economic Area or

3.  institutions and bodies of the European Communities

shall be subject to Section 15 (1), Section 16 (1) and Sections 28 to 30a in accordance with the laws and agreements applicable to such transfer, in so far as transfer is effected in connection with activities which fall in part or in their entirety within the scope of the law of the European Communities.

(2) Sub-Section 1 shall apply mutatis mutandis to the transfer of personal data to bodies in accordance with sub-Section 1 when effected outside of activities which fall in part or in their entirety within the scope of the law of the European Communities and to the transfer of such data to other foreign, supranational or international bodies. Transfer shall not be effected in so far as the data subject has a legitimate interest in excluding transfer, in particular if an adequate level of data protection is not guaranteed at the bodies stated in the first sentence of this sub-section. The second sentence shall not apply if transfer is necessary in order to enable a public body of the Federation to perform its duties for compelling reasons of defence or to discharge supranational or international duties in the field of crisis management or conflict prevention or for humanitarian measures.

(3) The adequacy of the afforded level of protection shall be assessed in the light of all circumstances surrounding a data transfer operation or a category of data transfer operations; particular consideration shall be given to the nature of the data, the purpose, the duration of the proposed processing operation, the country of origin, the recipient country and the legal norms, professional rules and securities measures which apply to the recipient.

(4) In the cases referred to in Section 16 (1) No. 2 above, the body transferring the data shall inform the data subject of the transfer of his/her data. This shall not apply if it can be assumed that the data subject will acquire knowledge of such transfer in another manner or if such information would jeopardize public safety or otherwise be detrimental to the Federation or a Land.

(5) Responsibility for the admissibility of the transfer shall rest with the body transferring the data.

(6) The body to which the data are transferred shall be informed of the purpose for which the data are transferred.