§ 46 NDSG
General conditions
(1)1The transfer of personal data to bodies in third countries or to international organisations shall be lawful where the other conditions applicable to data transfers are met if
(2)the body or international organisation is competent for the purposes referred to in § 23, and
(3)the European Commission has adopted an adequacy decision pursuant to Article 36(3) of Directive (EU) 2016/680, appropriate safeguards for the protection of personal data exist pursuant to § 47, or an exception pursuant to § 48 applies.
(4)2A transfer pursuant to sentence 1 number 2 shall be unlawful where an adequate handling of the data that safeguards fundamental human rights is not sufficiently ensured at the recipient, or otherwise overriding legitimate interests of a data subject are opposed to the transfer. 3In his or her assessment, the controller shall take into account in particular whether the recipient guarantees adequate protection of the transmitted data in the individual case.
(5)1Where personal data that have been transmitted from or made available by another Member State of the European Union are to be transferred pursuant to paragraph 1, this transfer must first be authorised by the competent body of the other Member State. 2Transfers without prior authorisation shall be permissible only where the transfer is necessary to avert an immediate and serious danger to the public security of a Member State or a third country, or to the essential interests of a Member State, and the prior authorisation cannot be obtained in time. 3In the case of sentence 2, the body of the other Member State that would have been competent to grant the authorisation shall be informed of the transfer without undue delay.
(6)1The controller who transfers data pursuant to paragraph 1 shall ensure by appropriate measures that the recipient shall only onward-transfer the transmitted data to bodies in other third countries or other international organisations where the controller has authorised such transfer in advance. 2In deciding whether to grant authorisation, the controller shall take into account all relevant factors, in particular the severity of the criminal offence, the purpose of the original transfer and the level of protection of personal data in the third country or international organisation to which the data are to be onward-transferred. 3Authorisation may only be granted where a direct transfer to the body in the other third country or the other international organisation would also be permissible. 4The competence for granting authorisation may also be otherwise regulated.