Article 96: Relationship with previously concluded Agreements

Article 96 requires you to recognize that certain Member State international agreements for personal data transfers signed before 24 May 2016 can continue to apply, but only until they are amended, replaced, or revoked. Operationally, you must identify whether any such agreements touch your transfer flows and ensure your transfer governance does not incorrectly rely on them or ignore them. (Regulation (EU) 2016/679, Article 96)

Key takeaways:

• Inventory and map any pre-24 May 2016 Member State agreements that could govern your third-country transfer pathways. (Regulation (EU) 2016/679, Article 96)
• Treat Article 96 as a “legacy agreement check” in your international transfer intake and contracting workflows. (Regulation (EU) 2016/679, Article 96)
• Maintain decision records that show whether you rely on a legacy agreement, and what happens if it changes. (Regulation (EU) 2016/679, Article 96)

Article 96 is short, but it creates a real governance trap for compliance teams: older international agreements signed by EU Member States can remain legally relevant for transfers of personal data to third countries or international organisations, even after GDPR took effect, if they complied with Union law applicable at the time. (Regulation (EU) 2016/679, Article 96)

For most private-sector organizations, this will not be the mechanism you primarily use to justify international transfers. Your day-to-day program will still center on the GDPR’s transfer tools and assessments. The operational value of Article 96 is different: it forces you to (1) know whether your organization is operating under any legacy state-level agreement that touches personal data transfers, (2) avoid “accidental reliance” on an agreement you cannot produce or interpret, and (3) have a plan for what you will do if that agreement is amended, replaced, or revoked. (Regulation (EU) 2016/679, Article 96)

This page gives you requirement-level implementation guidance you can assign to Legal, Privacy, and Procurement, with concrete artifacts to retain for audits, customer diligence, and regulator questions.

Regulatory text

Text (verbatim): “International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.” (Regulation (EU) 2016/679, Article 96)

What the operator must do with this text

Article 96 is not a “do transfers this way” instruction. It is a continuity rule. Your operational obligation is to ensure your organization:

1. Does not ignore applicable legacy Member State transfer agreements where they genuinely govern a transfer relationship; and
2. Does not over-claim them as a transfer justification without confirming they exist, apply, and remain in force; and
3. Tracks change events (amend/replacement/revocation) and routes them into your transfer mechanism decisioning. (Regulation (EU) 2016/679, Article 96)

Plain-English interpretation (requirement intent)

If a Member State signed an international agreement before 24 May 2016 that covers personal data transfers to a third country or international organisation, and it was lawful under EU law at that time, GDPR does not automatically nullify it. It can keep operating until it changes or is terminated. (Regulation (EU) 2016/679, Article 96)

For a CCO/GRC lead, the practical question becomes: Do any of our cross-border transfer flows rely on, or get constrained by, a legacy government-to-government agreement? If yes, you need a controlled way to identify it, document your reliance (or non-reliance), and monitor for changes.

Who it applies to (entity and operational context)

In-scope entities

• Any organization (controller or processor) that transfers personal data to third countries or international organisations, where a transfer pathway could be governed by a Member State international agreement concluded before 24 May 2016. (Regulation (EU) 2016/679, Article 96)
• This shows up more often in regulated sectors, public sector, or hybrid arrangements (for example, where your company processes data on behalf of a government program that itself operates under an international agreement). Article 96 does not limit itself to any sector; the trigger is the existence and applicability of the agreement. (Regulation (EU) 2016/679, Article 96)

Operational contexts where Article 96 becomes “real”

Use this as your scoping filter:

• Transfers tied to government programs, law enforcement cooperation, public health cross-border initiatives, immigration, customs, or other state-led exchanges where an international agreement is plausible.
• Third-party relationships where the counterparty states that transfers are covered by an “international agreement” rather than your standard transfer addendum.
• Legacy outsourcing where documentation is incomplete, and teams rely on “we’ve always done it this way.”

What you actually need to do (step-by-step)

Step 1: Assign ownership and define triggers

Create a short operating procedure with named owners:

• Primary owner: Privacy/DP function (or DPO office) to run the assessment and maintain the register.
• Legal owner: Public international law / regulatory counsel to interpret agreements.
• Procurement/TPRM owner: Ensure third-party intake routes potential Article 96 scenarios to Privacy/Legal.

Define trigger events that force an Article 96 check:

• New third-country transfer pathway.
• New third party that will receive EU personal data offshore.
• Material change in service location, subprocessing, or hosting geography.
• Any contract that references an “international agreement” as the transfer basis. (Regulation (EU) 2016/679, Article 96)

Step 2: Build an “Article 96 applicability register” (lightweight, but auditable)

Add a column set to your transfer inventory (or create a dedicated register) with:

• Transfer scenario (system/process, exporter entity, importer entity, destination country/organisation)
• Whether a Member State pre-24 May 2016 agreement is claimed to apply
• Agreement identifier (name, date, parties) and document location
• Legal assessment outcome: applies / does not apply / unknown
• If applies: what scope it covers (categories of data, purposes, onward transfer constraints)
• Monitoring owner and review cadence aligned to your change management (qualitative is fine)

This is the “single pane of glass” an auditor will ask for.

Step 3: Confirm existence and scope (do not accept assertions)

Where an agreement is claimed:

1. Obtain the agreement text (or authoritative excerpt) and store it in a controlled repository.
2. Confirm it was concluded before 24 May 2016.
3. Confirm it involves transfers of personal data to a third country or international organisation.
4. Document counsel’s view that it complied with Union law applicable prior to that date, or document that you cannot conclude this internally and need external advice. (Regulation (EU) 2016/679, Article 96)

If you cannot obtain the agreement text, treat it as not a usable transfer justification until verified. Your transfer governance should default to your standard GDPR transfer mechanism decision tree, not to an unverified “legacy agreement.”

Step 4: Operationalize it inside contracting and third-party due diligence

Add two concrete checks to your third-party workflow:

• Contract language flag: If an MSA, DPA, or SOW references a treaty, MoU, “international agreement,” or government-to-government arrangement, the contract cannot be executed without Privacy/Legal review mapped to Article 96.
• Data transfer intake question: “Is this transfer governed by a Member State international agreement concluded before 24 May 2016?” If “yes” or “unknown,” escalate.

This is where teams often fail: they write a policy note, but procurement keeps onboarding third parties without capturing the signal.

Step 5: Create a change-and-exit plan for legacy agreement reliance

Article 96’s operational cliff edge is explicit: the agreement remains in force until amended, replaced or revoked. (Regulation (EU) 2016/679, Article 96)

For each in-scope agreement you rely on, document:

• What event would break your reliance (amendment/replacement/revocation; also practical: counterparty refusing to honor it)
• What transfer tool you would move to (your organization’s standard alternative)
• Who approves the change and how fast you can execute it (use your contract change process)

Step 6: Evidence packet and ongoing governance

On a recurring cadence aligned to your broader transfer governance, refresh:

• Register accuracy (new transfers, retired transfers)
• Open “unknown” determinations
• Exceptions where operations proceeded before agreement verification

Daydream tip (earned mention): If you are managing many third parties and transfer pathways, Daydream’s requirement-to-evidence workflow can house the Article 96 register, route “international agreement” flags from intake to Legal, and produce a defensible evidence packet on demand.

Required evidence and artifacts to retain

Keep these in an “Article 96 evidence packet” folder per agreement or per transfer cluster:

• Article 96 applicability register export (dated)
• Copy of the international agreement (or controlled reference location)
• Legal memo / decision record: applies vs. does not apply, scope, and constraints (Regulation (EU) 2016/679, Article 96)
• Contract excerpts where the agreement is referenced (if applicable)
• Change management records showing monitoring and responses to any updates
• Exceptions log (cases where the agreement was claimed but not verified, and how you remediated)

Common exam/audit questions and hangups

Auditors and customer due diligence reviewers tend to ask:

• “Show me all mechanisms you rely on for international transfers, and where Article 96 fits.”
• “Do any third parties claim an international agreement governs data exports? Produce it.”
• “How do you ensure procurement escalates these cases?”
• “What happens if the agreement is revoked tomorrow?” (Regulation (EU) 2016/679, Article 96)

Hangups:

• You can’t produce the agreement text. That often ends the conversation badly.
• You have no ownership model. Privacy assumes Legal owns it; Legal assumes Privacy owns the inventory.
• You can’t show operational triggers. The control exists “in theory,” but nobody can prove it runs.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 96 as a transfer mechanism you can choose. It is a recognition of continuity for certain state agreements, not a plug-in tool you can adopt ad hoc. Avoid this by requiring evidence of applicability before any reliance. (Regulation (EU) 2016/679, Article 96)

2. Leaving “international agreement” assertions unchallenged. Third parties sometimes include vague references. Fix it with a contract red-flag clause and mandatory Legal review.

3. No monitoring for amendment/replacement/revocation. Article 96 bakes in change risk. Put a named owner and a simple monitoring method in your SOP. (Regulation (EU) 2016/679, Article 96)

4. No linkage to your data map. If you cannot tie the agreement to specific systems, data categories, and transfer destinations, you cannot control scope creep.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for Article 96, so you should treat it as a defensibility and governance requirement rather than an enforcement-driven hotspot.

Risk implications still matter:

• Regulatory credibility risk: If you cite an agreement you cannot produce, your transfer governance looks non-operational.
• Contractual risk: Customers and partners may ask for your transfer basis. Unverified claims can create breach-of-contract exposure.
• Operational continuity risk: If a relied-upon agreement changes, you need a pre-approved migration path to avoid disruption. (Regulation (EU) 2016/679, Article 96)

Practical 30/60/90-day execution plan

First 30 days (stabilize and find scope)

• Publish an internal SOP: “Article 96 legacy agreement check,” with owners and escalation triggers. (Regulation (EU) 2016/679, Article 96)
• Add two intake questions to third-party onboarding and transfer assessments: “international agreement?” and “date concluded?”
• Run targeted discovery: ask Legal and the business lines most likely to touch government programs whether any such agreements exist.

Days 31–60 (inventory and harden the control)

• Stand up the Article 96 applicability register and populate known transfer pathways.
• For each “yes/unknown,” obtain the agreement text and create a decision record.
• Update contract templates or playbooks to flag “international agreement” language for review.

Days 61–90 (make it durable)

• Build the change plan for any transfer flows that truly rely on a legacy agreement.
• Close “unknowns” or formally document why you cannot confirm and what alternate basis you use.
• Package the evidence: register, memos, and workflow records, so you can answer diligence requests quickly. (Regulation (EU) 2016/679, Article 96)

Frequently Asked Questions

Does Article 96 give my company a new legal basis to transfer personal data internationally?

Article 96 does not create a new transfer tool; it preserves certain Member State international agreements concluded before 24 May 2016 if they met EU law at the time. Your job is to verify whether such an agreement actually applies to your transfer. (Regulation (EU) 2016/679, Article 96)

We are a private company. Is Article 96 irrelevant?

Often it won’t be your primary transfer basis, but it is still relevant as a governance check. Private companies can process data within programs or contracts that reference state-level international agreements. (Regulation (EU) 2016/679, Article 96)

A third party claims an “international agreement” covers the transfers, but won’t share it. What do we do?

Treat it as unverified and do not rely on it as your transfer justification. Escalate to Legal, require documentary support, or move to your standard transfer mechanism and contract language path. (Regulation (EU) 2016/679, Article 96)

What evidence will an auditor expect for Article 96?

A register showing where Article 96 was assessed, plus the agreement text (or controlled reference) and a documented applies/does-not-apply decision. Retain records showing how the check is triggered in onboarding and contracting. (Regulation (EU) 2016/679, Article 96)

How do we monitor “amended, replaced or revoked” in practice?

Assign a named Legal owner for each applicable agreement and tie monitoring to your contract/regulatory change management. Document the trigger and the decision pathway that moves the transfer to an alternate mechanism if the agreement changes. (Regulation (EU) 2016/679, Article 96)

Can we close this requirement with a policy statement only?

A policy statement helps, but auditors test operation. Add intake triggers, keep a register, and retain decision records so you can prove the control runs and produces outcomes. (Regulation (EU) 2016/679, Article 96)