§ 62 DSG NRW
General requirements
(1)The transmission of personal data to bodies in third countries or to international organisations shall be permissible, provided the other conditions applicable to data transmissions are met, where
(2)1. the body or international organisation is competent for the purposes referred to in Section 35, and
(3)2. the European Commission has adopted an adequacy decision pursuant to Article 36(3) of Directive (EU) 2016/680.
(4)The transmission of personal data must, despite the existence of an adequacy decision within the meaning of paragraph 1, number 2, and the public interest in the data transmission to be taken into account, be refrained from where, in the individual case, an adequate and human-rights-respecting handling of the data by the recipient is not sufficiently ensured, or where overriding legitimate interests of a data subject are contrary thereto. In his or her assessment, the controller shall give due regard to whether the recipient guarantees adequate protection of the transmitted data in the individual case.
(5)Where personal data that have been transmitted or made available from another Member State of the European Union are to be transmitted pursuant to paragraph 1, this transmission must first be authorised by the competent body of the other Member State. Transmissions without prior authorisation shall be permissible only where the transmission is necessary to avert an immediate and serious danger to the public safety of a state or to the essential interests of a Member State and the prior authorisation cannot be obtained in time. In the case of sentence 2, the body of the other Member State that would have been competent to grant the authorisation shall be notified of the transmission without delay.
(6)The controller who transmits data pursuant to paragraph 1 shall, by means of appropriate measures, ensure that the recipient only further transmits the transmitted data to other third countries or other international organisations where the controller has previously authorised such transmission. When deciding whether to grant authorisation, the controller shall take into account all relevant factors, in particular the seriousness of the criminal offence, the purpose of the original transmission and the level of protection of personal data existing in the third country or international organisation to which the data are to be further transmitted. Authorisation may only be granted where direct transmission to the other third country or other international organisation would also be permissible. The competence for granting authorisation may also be regulated differently.