Skip to content
AuditFront
Art.44 GDPR

GDPR Art.44: General Principle for Transfers

What This Control Requires

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

In Plain Language

Every time personal data leaves the EEA, the GDPR's protections must travel with it. Article 44 sets the foundational rule for Chapter V: you cannot simply send data to a third country or international organisation without a valid legal mechanism in place. The protection your users enjoy under EU law must not be diluted, no matter where the data ends up. This covers all forms of cross-border data movement - sending data directly to a partner or group company abroad, using processors or sub-processors outside the EEA, hosting in non-EEA cloud infrastructure, remote access by overseas support teams, and analytics or AI services processing data in third countries. Onward transfers are caught too: if data goes from the EEA to Country A, then from Country A to Country B, both legs need a valid transfer mechanism. The available mechanisms under Chapter V are adequacy decisions (Article 45), appropriate safeguards like Standard Contractual Clauses and Binding Corporate Rules (Article 46), and derogations for specific situations (Article 49). You need to identify which mechanism covers each international transfer and make sure it actually works. Since the Schrems II ruling, that means conducting Transfer Impact Assessments to verify your chosen safeguard genuinely protects the data in practice, not just on paper.

How to Implement

Start by mapping every international data transfer your organisation makes. Go beyond the obvious ones - look for personal data leaving the EEA through direct transfers to overseas business partners or group entities, processors and sub-processors based outside the EEA, cloud services with servers or access points in third countries, remote access by support staff or engineers abroad, and analytics or AI tools that process data outside the EEA. Record the data categories, volumes, recipients, and destination countries for each transfer. Assign a legal mechanism to each transfer. Check whether an adequacy decision covers the destination country first - that is the simplest path. If not, pick the most suitable safeguard (Standard Contractual Clauses are the workhorse for most organisations). Only fall back on Article 49 derogations when no safeguard can be made to work. Document the legal basis clearly. Run Transfer Impact Assessments for every transfer that relies on Article 46 safeguards, especially SCCs. Following Schrems II, assess whether the destination country's laws and enforcement practices provide essentially equivalent protection to EU law. Look closely at government surveillance powers, the practical effectiveness of your chosen mechanism, and whether supplementary measures are needed to close any gaps. Where your TIA flags risks, put supplementary measures in place. Technical measures are the strongest - think encryption with keys held exclusively in the EEA, pseudonymisation before transfer, or split processing. Back these up with organisational measures like internal policies and transparency reporting, plus contractual measures such as enhanced breach notification obligations and audit rights. Set up ongoing monitoring. Third-country legal frameworks shift, adequacy decisions get revoked, and new court rulings can change the picture overnight. Review your transfer mapping, legal bases, and TIAs on a regular cycle and update them whenever circumstances change.

Evidence Your Auditor Will Request

  • Comprehensive mapping of all international data transfers
  • Legal basis documentation for each international transfer (adequacy, SCCs, BCRs, etc.)
  • Transfer Impact Assessments for transfers relying on appropriate safeguards
  • Documentation of supplementary measures implemented where needed
  • Regular review records of international transfer compliance

Common Mistakes

  • No mapping of international data transfers, leaving some transfers unidentified and ungoverned
  • Transfers occurring without any legal mechanism in place under Chapter V
  • No Transfer Impact Assessment conducted for transfers relying on SCCs or other safeguards
  • Inadequate supplementary measures where the destination country's laws undermine protection
  • Onward transfers not addressed, with data flowing to countries beyond the initial recipient

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related
NIS2 Art.21.2e Partial overlap

Frequently Asked Questions

Does using a cloud service with global infrastructure constitute an international transfer?
It very likely does, yes. If personal data sits on servers outside the EEA, or if the provider's staff in third countries can access it, that counts as an international transfer. Check where data is actually stored, which sub-processors the provider uses, and where support and admin access happens. Most major cloud providers now offer EEA-only data residency options - it is worth asking for them.
What changed after the Schrems II judgment?
The Court of Justice invalidated the EU-US Privacy Shield and made clear that SCCs (and other Article 46 safeguards) are not a rubber stamp. You now need to assess, transfer by transfer, whether the destination country actually provides equivalent protection. In practice, that means running Transfer Impact Assessments and layering on supplementary measures where needed. If you cannot ensure adequate protection, the transfer has to stop.
What counts as a 'transfer' of personal data?
The EDPB defined three cumulative criteria: a controller or processor subject to the GDPR discloses or makes personal data available to another entity, and that other entity is in a third country or is an international organisation. Remote access counts too - if someone in a third country can view data held in the EEA, that is a transfer.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment