§ 78 BDSG
General requirements
(1)A transfer of personal data to a body in a third country or to an international organisation shall be permissible whereThe second sentence of Section 74 Subsection (2) shall apply accordingly. 1 the transfer is necessary for the purposes referred to in Section 45,; 2 the European Commission has decided, on the basis of Article 36 Subsection (3) of Directive (EU) 2016/680, that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection and; 3 the conditions set out in Section 74 for a transfer are met.
(2)The transfer of personal data shall not take place despite the existence of an adequacy decision within the meaning of Subsection (1) No. 2 and the public interest in the data transfer which is to be taken into account, where, in the individual case, an appropriate handling of the data by the recipient which respects elementary human rights is not sufficiently guaranteed or overriding interests of a data subject worthy of protection preclude the transfer. In making this assessment, the controller shall take into account, as a material factor, whether the recipient guarantees an adequate level of protection of the transferred data in the individual case.
(3)Where personal data which have been transmitted by or made available from another Member State of the European Union are to be transferred pursuant to Subsection (1), such transfer must first be authorised by the competent body of the other Member State. Transfers without prior authorisation shall be permissible only where the transfer is necessary to prevent an immediate and serious threat to public security of a state or to the essential interests of a Member State and the prior authorisation cannot be obtained in time. In the case referred to in the second sentence, the body of the other Member State which would have been competent to grant the authorisation shall be informed of the transfer without delay.
(4)The controller which transfers data pursuant to Subsection (1) shall, by means of appropriate measures, ensure that the recipient does not further transfer the transferred data to other third countries or other international organisations unless the controller has authorised such further transfer. In making the decision on granting authorisation, the controller shall take into account all relevant factors, in particular the seriousness of the criminal offence, the purpose of the original transfer and the level of protection of personal data in the third country or the international organisation to which the data would be further transferred. Authorisation may only be granted where a direct transfer to the other third country or the other international organisation would also be permissible. The competence for granting authorisation may also be regulated differently.