§ 73 HDSIG
General Requirements
(1)The transfer of personal data to bodies in third countries or to international organisations shall be permissible, where the other conditions applicable to data transfers are met, if 1. the body or international organisation is competent for the purposes referred to in § 40, and 2. the European Commission has adopted an adequacy decision pursuant to Art. 36 para. 3 of Directive (EU) No 2016/680.
(2)Despite the existence of an adequacy decision within the meaning of para. 1 no. 2 and the public interest in the data transfer to be taken into account, the transfer of personal data shall be refrained from where, in the individual case, an adequate and human rights-respecting handling of the data by the recipient is not sufficiently ensured or where the overriding legitimate interests of a data subject preclude the transfer. In making the assessment, the controller shall give due regard to whether the recipient guarantees an adequate level of protection of the transferred data in the individual case.
(3)Where personal data that have been transferred or made available by another Member State of the European Union are to be transferred pursuant to para. 1, this transfer must be authorised in advance by the competent body of the other Member State. Transfers without prior authorisation shall only be permissible where the transfer is necessary to avert an immediate and serious threat to the public security of a Member State or a third country or to the essential interests of a Member State, and the prior authorisation cannot be obtained in time. In the case of sentence 2, the body of the other Member State which would have been competent to grant the authorisation shall be notified without undue delay of the transfer.
(4)The controller who transfers data pursuant to para. 1 shall, by appropriate measures, ensure that the recipient only further transfers the transferred data to bodies in other third countries or other international organisations if the controller has authorised this transfer in advance. In deciding whether to grant the authorisation, the controller shall take into account all relevant factors, in particular the seriousness of the offence, the purpose of the original transfer and the level of personal data protection in the third country or international organisation to which the data are to be further transferred. An authorisation may only be given if a direct transfer to the body in the other third country or the other international organisation would also be permissible. The competence for granting the authorisation may also be regulated differently. zur Einzelansicht § 73