Article 44 of the GDPR: Data transfers to third countries

Summary

Article 44 of the GDPR explained
Why is this article important for your GDPR compliance?
How to comply with Article 44 of the GDPR?
Examples of application of Article 44 of the GDPR
Related Resources
Accelerate your compliance in just a few clicks

Article 44 of the GDPR sets out the general principle governing transfers of personal data to countries outside the European Union (called third countries). These transfers must guarantee a adequate level of protection.

Article 44 of the GDPR explained

Any transfer of data to a third country or an international organization can only take place if:

The third country offers a adequate level of protection, recognized by a decision of the European Commission;
Or if appropriate safeguards have been put in place (standard contractual clauses, binding corporate rules, etc.);
Or even if specific exemptions apply in limited cases (e.g. explicit consent, performance of a contract, reasons of public interest...).

Why is this article important for your GDPR compliance?

Data transfers to third countries represent a high risk to privacy if the protections are insufficient. Article 44 allows guarantee the continuity of the protection of personal data, even outside the EU.

How to comply with Article 44 of the GDPR?

Identify all non-EU data transfers made by your organization;
Check if there is an adequacy decision for the destination country;
If this is not the case, put in place appropriate guarantees (standard contractual clauses, BCR...);
Document the measures taken and inform those affected.

Examples of application of Article 44 of the GDPR

A European company uses an American cloud service: it implements the standard clauses approved by the European Commission;
A French company transfers data to its Japanese subsidiary: Japan benefits from an adequacy decision;
An association sends data to an NGO in a country without an adequate framework: it obtains explicit consent.