GRCWatch
Sign inStart free trial

GDPR A44-01: General Principle for Transfers

International data transfers are one of GDPR's most complex requirements, but they're non-negotiable if your business operates across borders. GDPR Article 44 mandates that every transfer of personal data outside the EEA must be justified and documented under Chapter V mechanisms. Without proper transfer mechanisms in place, you're exposed to enforcement action and customer data risks.

What this means

GDPR Article 44 establishes the foundational rule that personal data cannot leave the EEA or be transferred to international organizations unless you've implemented and documented a valid transfer mechanism under Chapter V. This means you must identify every data flow crossing borders, classify the data involved, determine which transfer mechanism applies (adequacy decisions, standard contractual clauses, binding corporate rules, or derogations), and maintain evidence that your chosen mechanism is legally sufficient. The requirement is strict: transfers without documented legal basis are violations, regardless of intent.

How to comply

  1. 1.Map all international data flows by identifying systems, applications, and vendors that access personal data outside the EEA
  2. 2.Classify the personal data categories being transferred and identify the legal basis for each transfer
  3. 3.Determine which Chapter V transfer mechanism applies: adequacy decision, standard contractual clauses (SCCs), binding corporate rules (BCRs), or approved derogations
  4. 4.Document the transfer mechanism chosen and the legal reasoning supporting it for each data flow
  5. 5.Implement contractual safeguards (e.g., Data Processing Agreements with SCCs) for transfers to non-adequate countries
  6. 6.Conduct Transfer Impact Assessments (TIAs) to evaluate third-country legal frameworks and government access risks
  7. 7.Review and update transfer documentation whenever transfer mechanisms change or new adequacy decisions are issued
  8. 8.Maintain evidence of compliance (decision logs, contracts, TIAs) and make records available to supervisory authorities upon request

Evidence auditors look for

  • Data transfer inventory spreadsheet listing each international data flow, destination country, data categories, and applicable transfer mechanism
  • Standard contractual clauses (SCCs) executed with vendors or international entities receiving personal data
  • Data Processing Agreements (DPAs) that include SCC modules and reflect the current legal framework
  • Transfer Impact Assessment (TIA) documentation evaluating third-country laws, surveillance risks, and safeguard adequacy
  • Board or management approval records authorizing specific international transfers
  • Adequacy decision verification confirming EU Commission recognition of the destination country's data protection level
  • Binding Corporate Rules (BCRs) if applicable for intra-group transfers
  • Derogation justifications (e.g., explicit consent logs) if using GDPR Article 49 exemptions
  • Vendor contracts showing explicit data location restrictions and international transfer prohibitions where applicable

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the mapping and monitoring of international data transfers, tracks Chapter V mechanism expiration dates (like adequacy decision changes), and flags compliance gaps—so you maintain a current transfer inventory without manual spreadsheet maintenance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A45 — Transfers Based on Adequacy DecisionGDPR A46 — Transfers Subject to Appropriate SafeguardsGDPR A49 — Derogations for Specific SituationsGDPR A5 — Data Processing PrinciplesGDPR A32 — Security of Processing