European Union’s General Data Protection Regulation (GDPR) stands at the forefront of the current data privacy boom.
Companies dealing with the personal information of customers must evaluate and adjust to meet the stringent requirements of the GDPR articles. These efforts include taking steps to accomplish compliance and making the key principles a part of their daily operations.
Each of the articles has a different set of requirements, but as they include complex legalese, not every business owner can understand how to comply.
In this guide, we’ll focus solely on GDPR Article 44—what it means, how it works, and what you can do to integrate it into every part of your operations.
What is GDPR Article 44 Anyway?
Marking the beginning of Chapter 5, which focuses on how businesses should handle data transfer out of the European Union and GDPR, Article 44 emphasizes that owners should get explicit permission before transferring data to third countries or international organizations.
The easiest way for businesses to comply with Article 44 requirements is to have a process in place for documenting data transmission actions and agreements.
Let’s take a look at the legal text of GDPR article 44.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
In simple terms, Article 44 prohibits the transfer of personal data beyond the EU or EEA, unless the recipient country can prove it provides adequate data protection. Cross-border data transfer to third countries can only take place if the conditions laid down in Chapter 5 are complied with by the controller and processor while being subject to the provisions of this regulation.
The descriptions of acceptable proof are detailed in Articles 45 to 49. Here’s what they include:
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Articles 47: Binding corporate rules
- Article 48: Transfers or disclosure is not authorized by Union Law (international agreements)
- Article 49: Derogations for specific situations
The European Commission can decide that a non-EU/EEA country, sector within that country, or international organization provides adequate data protection. There are currently two forms of advocacy decisions: Whitelisted Jurisdictions and Privacy Shield Framework.
- Whitelisted Jurisdictions: The European Commission may find that a non-EU/EEA jurisdiction does enforce data protection laws that are (essentially) equivalent to the GDPR. Currently, Argentina, Andorra, some provinces of Canada, Faroe Islands, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Guernsey are the jurisdictions that enjoy an Adequacy Decision.
- Privacy Shield Framework: Approved on July 16, 2016, the Privacy Shield Framework enables U.S organizations to self-certify to the U.S Department of Commerce and then publicly commit to comply with the framework’s data protection requirements, with the public commitment being enforceable under the U.S law.
The European Commission may allow transfers to countries where appropriate safeguards are in place. These safeguards include the following:
- Standard Contractual Clauses (SCC): You’ll find two sets of standard contractual clauses for transfers from Data Controllers to Data Controllers and another set for transfers to Data Processors located outside the EU/EEA.
- Codes of Conduct and Certification: These conduct and certification codes aren’t yet defined or adopted by the GDPR.
Binding Corporate Rules
Binding corporate rules, or BCRs, are internal rules used by a multi-national corporation to define personal data transfers to company entities located in countries that don’t provide an adequate level of protection. These must specify the company’s data privacy principles (transparency, data quality, data security, and so on), effectiveness tools (data audits, complaint handling, training, and so on), and proof of the binding nature of the BCRs.
Also, BCRs can’t legitimize transfers to non-affiliated entities like customers, suppliers, distributors, or government agencies.
Personal data may be transferred or disclosed only when ordered by a court or tribunal if based on an international agreement between the requesting country and the EU/EEA.
The European Commission may allow data transfers if it fulfills the following conditions:
- Explicitly consented to by the Data Subject.
- Necessary for the performance of a contract or vital interests of a Data Subject; for reasons of public interest recognized under EU/EEA law; for the establishment, exercise, or defense of a Data Subject‘s legal claims; or for the vital interests of a Data Subject who’s unable to give explicit consent.
- From a public register.
Article 44 recognizes each of the above strategies to prove a recipient country can provide adequate data protection.
How GDPR Article 44 Works
Article 44 enumerates the following two steps that have to be taken for the lawfulness of personal data transfers to countries outside the EU/EEA or “third countries“ and international organizations. They are as follows:
- The first condition is the general compliance with the provisions of the GDPR, considering the “transfer” of personal data is a type of “processing.” This includes the legal requirement of GDPR Article 6 and the fulfillment of the principles of GDPR Article 5.
- The second condition is based on an assumption that GDPR doesn’t apply in countries outside the EU/EEA. And since the protection in the EU cannot be undermined by a transfer to a third country, additional obligations have to be met to ensure the protection of the personal data that is being transferred. The specific requirements can be found in Chapter 5.
Note: According to Chapter 5, a transfer of personal data is only allowed if the third country offers a data protection level that’s adequate to the level of data protection in the EU, or if an exception applies.
How to Get Started With GDPR Article 44
The goal of Article 44 is to make sure that the personal data of every EU citizen stays protected even outside the boundaries of the Union.
Every business requires the following to comply with Article 44:
- Blocking transfer of personal data outside the EU/EEA
- Ensuring adequate data protection
Here’s how you can enforce both these rules:
Step 1: Implement Data Discovery and Classification Measures
For both the above conditions, data discovery and classification are the starting points for compliance. While the former provides visibility into the location, context, and volume of data on-premises, in the cloud, and in the legacy databases, the latter catalogs the discovered data according to its personal data type and security risk level.
Step 2: Enforce Adequate Data Protection Measures
Blocking data transfers requires implementing data access across borders management measures to keep a check on which data can be accessed outside defined borders.
In general, though, ensuring adequate data protection can be achieved through specific steps as follows:
Monitor, log and report all changes made to the data structure. This will show compliance auditors that every change to the database can be traced to accepted change tickets.
Take the necessary measures to ensure data integrity and confidentiality through change control reconciliation, query whitelisting, data across borders controls, and so on.
Data Loss Prevention
Monitor and protect data in motion on networks, at rest in data storage, or in use on endpoint devices regularly. You can prevent data theft by blocking attacks, privilege abuse, unauthorized access, malicious web requests, or any other unusual activity.
Data masking includes steps like anonymization of data via encryption/hashing, perturbation, and generalization. The idea here is to pseudonymize data by replacing sensitive data with realistic-looking fictional data to maintain operational and statistical accuracy—all while safeguarding databases.
Ethical walls maintain a clear-cut separation between business groups in a bid to comply with M&A requirements, government clearance, and so on.
Privileged User Monitoring
Privileged user monitoring (PUM) monitors privileged user database access and activities, as well as blocks any unauthorized access or activity when needed.
Secure Audit Trail Archiving
Secure audit trail archiving involves protecting the audit trail from tampering, modification, deletion, as well as providing forensic visibility.
Sensitive Data Access Auditing
Monitor access to and changes of data protected by the law, compliance regulations, and all contractual agreements. Any unauthorized access or changes should trigger alarms. Plus, make a point to create an audit trail for forensics.
User Rights Management and User Tracking
User rights management involves identifying excessive, inappropriate, and unused privileges while user tracking maps the web application end-user to the shared application/database user to the final data access.
VIP Data Privacy
VIP Data Privacy involves maintaining strict access control on highly sensitive data, such as data stored in multi-tiered enterprise allocations such as SAP.