In one sentence. GDPR Article 44 establishes the general principle that any transfer of personal data to a third country or international organisation may only take place if conditions in Chapter V (Articles 44-50) are complied with — including by subsequent transfers to other third countries. The provision exists to ensure that the level of protection guaranteed by the GDPR is not undermined. Article 44 is the umbrella that anchors the entire international transfer framework: adequacy decisions (Article 45), safeguards (Article 46), BCRs (Article 47), and derogations (Article 49).
Article 44 is procedurally short but conceptually foundational. It sets the rule: data leaving the EU/EEA must continue to enjoy GDPR-equivalent protection. The mechanisms to ensure that protection are detailed in the subsequent articles. The Schrems II judgment (CJEU C-311/18, 2020) made clear that the obligation extends beyond formal compliance — the controller must verify that protection is effectively delivered.
For specific transfer mechanisms: Standard Contractual Clauses (SCCs), Transfer Impact Assessment (TIA), BCR vs SCC vs DPF. For the broader cross-border framework: GDPR cross-border data transfers.
Key takeaways
- Article 44 = umbrella for the entire Chapter V (Articles 44-50).
- The protection level guaranteed by the GDPR must not be undermined by international transfers.
- Applies to direct transfers AND onward transfers (from one third country to another).
- Hierarchy of mechanisms: adequacy → safeguards → BCRs → derogations.
- Schrems II added: formal mechanism alone is not enough — effective protection in the destination country must be verified (TIA).
1. Article 44 text
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
Two key principles:
- All Chapter V conditions apply — adequacy, safeguards, BCRs, derogations
- Including for onward transfers — the chain doesn’t break at the first destination
2. The hierarchy of transfer mechanisms
GDPR Chapter V establishes a hierarchy:
| Rank | Mechanism | Article | When applicable |
|---|---|---|---|
| 1 | Adequacy decision | 45 | Country deemed adequate by Commission |
| 2 | Appropriate safeguards | 46 | No adequacy, but adequate contractual/binding measures (SCCs, BCRs, codes of conduct, certifications) |
| 3 | Binding Corporate Rules | 47 | Intra-group transfers under approved policies |
| 4 | Derogations | 49 | Specific situations, narrowly interpreted |
A controller must use the highest available mechanism. Skipping to Article 49 derogations when Article 46 safeguards would work is non-compliant.
3. Adequacy decisions (Article 45)
As of 2026, the Commission has issued adequacy decisions for:
- Andorra
- Argentina
- Canada (commercial organizations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan (private sector)
- Jersey
- New Zealand
- Republic of Korea
- Switzerland (renewed January 2024 under nLPD)
- United Kingdom (post-Brexit)
- United States — limited to organizations certified under the EU-U.S. Data Privacy Framework (DPF)
- Uruguay
For these countries (and DPF-certified US recipients), transfers are treated as intra-EEA — no additional safeguards needed.
4. Appropriate safeguards (Article 46)
When no adequacy decision applies, the controller must implement appropriate safeguards. Options:
- Standard Contractual Clauses (SCCs) approved by the Commission — most common
- Binding Corporate Rules (BCRs) for intra-group transfers
- Approved codes of conduct (Article 40)
- Approved certification mechanisms (Article 42)
- Ad hoc clauses approved by the supervisory authority
- Legally binding instruments between public authorities
Post-Schrems II, all Article 46 safeguards require a Transfer Impact Assessment verifying that the safeguard delivers effective protection in the destination country.
5. Binding Corporate Rules (Article 47)
BCRs are internal corporate policies approved by a supervisory authority that allow intra-group transfers. They require:
- Legally binding nature throughout the group
- Express conferral of enforceable rights on data subjects
- Specific minimum content (Article 47(2))
- Approval by the lead supervisory authority through the consistency mechanism
Major BCR holders include Microsoft, IBM, Hewlett Packard, JPMorgan, eBay, Linklaters, Atos. BCR approval typically takes 12-24 months.
6. Derogations (Article 49)
Narrow exceptions for specific situations:
- (a) Explicit consent of the data subject
- (b) Necessary for contract performance with the data subject
- © Necessary for contract performance in the data subject’s interest
- (d) Important reasons of public interest
- (e) Establishment, exercise or defence of legal claims
- (f) Protect vital interests when consent impossible
- (g) Transfer from a public register
- (h) Not repetitive, limited number of data subjects, compelling legitimate interests
Article 49 derogations are strictly interpreted. EDPB Guidelines 2/2018 make clear they cannot be used for systematic transfers — they’re for occasional cases.
7. The Schrems II requirement
The CJEU in Schrems II (C-311/18, July 2020) added a key requirement: the controller must verify that the destination country’s law and practice provide essentially equivalent protection. If not, supplementary measures must be applied (typically technical: encryption with EU-held keys).
This requirement applies to all Article 46 safeguards (SCCs, BCRs, codes of conduct, certifications). It does NOT apply to Article 45 adequacy decisions (since the Commission has already made the assessment).
See Transfer Impact Assessment (TIA) for the methodology.
8. Onward transfers
Article 44 explicitly extends the obligation to onward transfers — data leaving the first destination for another third country. This means:
- The contractual mechanism with the first recipient must address onward transfers
- The SCCs include clauses obligating the importer to ensure equivalent protection for any onward transfer
- The controller remains responsible for chain integrity
In practice, this means auditing the entire data flow, not just the first hop.
9. Sanctions
Article 83(5)© places Article 44 violations at the top tier — up to €20M or 4% of global turnover.
Notable cases:
- Meta Ireland (DPC, May 2023) — €1.2 billion: largest GDPR fine, specifically for unlawful US transfers
- Multiple cloud users (CNIL 2022): Google Analytics transfers sanctioned post-Schrems II
- Clearview AI (multiple EU DPAs): €20M+ partly for unlawful transfers
The Meta €1.2B sanction makes Article 44 the most expensive provision in the GDPR’s history.
10. Practical compliance workflow
For each cross-border transfer:
- Identify the destination country
- Check adequacy (Article 45) — if adequate, no further mechanism needed
- For US transfers: verify DPF certification of the recipient
- For non-adequate destinations: select Article 46 safeguard (typically SCCs)
- Conduct TIA for Article 46 safeguards (post-Schrems II)
- Document supplementary measures if needed (technical, contractual, organizational)
- Sign SCCs or other instrument
- Record in ROPA the destination country and safeguard mechanism
- Annual review of adequacy, certifications, transfer mechanism validity
11. Tooling
Legiscope maps international data flows automatically, identifies the applicable Article 44+ mechanism per transfer, generates TIA templates, alerts on DPF certification expiry, and tracks adequacy decision changes.
For related deep-dives: Standard Contractual Clauses, TIA guide, BCR vs SCC vs DPF, GDPR cross-border data transfers.
Conclusion
Article 44 is the GDPR’s commitment that protection doesn’t stop at the EU border. Every other transfer article (45-50) is a mechanism to deliver on that commitment. The Meta €1.2 billion sanction makes clear: this is no longer paperwork, it’s a substantive obligation with substantive enforcement.
FAQ
What does GDPR Article 44 require?
Article 44 establishes the general principle: any transfer of personal data to a third country must comply with Chapter V (Articles 44-50), including for onward transfers. The level of protection guaranteed by the GDPR must not be undermined.
What’s the hierarchy of transfer mechanisms?
- Adequacy decision (Article 45) — preferred when available
- Appropriate safeguards (Article 46) — SCCs, BCRs, codes of conduct, certifications
- Binding Corporate Rules (Article 47) — for intra-group
- Derogations (Article 49) — narrowly interpreted, occasional use only
Which countries have an adequacy decision?
As of 2026: UK, Switzerland (renewed January 2024), Canada (commercial), Japan (private), New Zealand, Argentina, Israel, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, South Korea. For US: only DPF-certified organizations.
Does Article 44 apply to onward transfers?
Yes — explicitly. Data leaving the first destination for another third country must continue to comply with Chapter V. Contractual mechanisms must address the entire chain.
What’s the biggest sanction under Article 44?
Meta Ireland (DPC + EDPB, May 2023) — €1.2 billion, the largest GDPR fine to date, specifically for unlawful EU-US data transfers.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
