Home · Synthesis · cl-gdpr-international-transfers

GDPR Articles 44-49 international transfers

CSA CCM v4DPDPAGDPRISO 27701

Primary statement

GDPR transfers Arts 44-49: general principle (44) + adequacy (45) + appropriate safeguards SCCs/BCRs (46) + BCRs intra-group (47) + derogations (49). Plus DPDPA + ISO 27701 + CSA. Post-Schrems II transfer impact assessment required.

Audit-fatigue payoff

A unified GDPR transfer programme — adequacy + SCCs + BCRs + derogations + TIA — satisfies cross-border across all 4 contributing frameworks.

Strictness matrix

Scope
Scope: ANY transfer of personal data to third country or international organisation. Ceiling source: gdpr:Art.44 Rationale: GDPR Art 44 universal scope is foundational.
Threshold
Threshold: adequacy OR appropriate safeguards (Art 46) OR derogation (Art 49). Without one, transfer is unlawful. Ceiling source: gdpr:Art.45 Rationale: GDPR Art 45 three-path threshold is binary.
Method
Method: adequacy check + appropriate safeguards (SCCs, BCRs, codes, certifications) + BCRs intra-group + derogations + transfer impact assessment (post-Schrems II). Ceiling source: gdpr:Art.46 Rationale: GDPR Arts 44-49 form the canonical method.
Frequency
SCC review on EU Commission release. TIA per transfer + on material change. Ceiling source: gdpr:Art.46 Rationale: Per-transfer TIA post-Schrems II is the cadence.
Evidence
Evidence: transfer register + adequacy references + executed SCCs/BCRs + per-transfer TIA + derogations log. Ceiling source: gdpr:Art.46 Rationale: GDPR Art 46 evidence with TIA is comprehensive.

Auditor test pattern

Step 1: Inspect transfer register. Step 2: For sample transfer, verify legal mechanism. Step 3: Inspect TIA per transfer. Step 4: Verify SCCs are current 2021 EU version.

Common findings

Common findings: (1) SCCs not refreshed to 2021; (2) TIA absent (post-Schrems II); (3) BCRs approval pending; (4) Derogations used as routine.