Offshoring and international transfers
Article 44 limits transfers of personal data outside the EEA unless the third country ensures an adequate level of protection. With offshoring and cloud computing this is the single hardest compliance issue for EU customers using overseas suppliers. It is not an absolute prohibition: Chapter 5 of the GDPR provides routes - an adequacy decision (e.g. a future Privacy Shield 2.0 under Article 45), the revised modular standard contractual clauses (Article 46), ad hoc/tailored clauses approved by a DPA (Article 46(3)), and .
Article 44 limits transfers outside the EEA unless the third country ensures an adequate level of protection. With cloud computing, overcoming this restriction is the single most difficult compliance aspect for EU customers using overseas suppliers. But it is not an absolute prohibition: Chapter 5 of the GDPR sets out conditions, and several routes exist.
| Route | GDPR basis | Key feature |
|---|---|---|
| Adequacy decision / Privacy Shield 2.0 | Art 45 | Transfers lawful while the decision is valid; US importers must include processing on behalf of customers within their certification |
| Standard contractual clauses (SCCs) | Art 46 | Revised 4 June 2021; modular approach covering C2C, C2P, P2P and P2C scenarios |
| Ad hoc / tailored clauses | Art 46(3) | Negotiated clauses approved by a competent DPA; can suit processor-to-processor transfers |
| Binding corporate rules for processors | Arts 46/47 | Internal rules tailored to the processor; creates 'safe processors' regardless of location |
| Module | Transfer scenario |
|---|---|
| Controller-to-controller | C2C |
| Controller-to-processor | C2P |
| Processor-to-processor | P2P |
| Processor-to-controller | P2C |
Safe Harbor fell in 2015; the original Privacy Shield fell in 2020. A Privacy Shield 2.0 is expected under a fresh Commission adequacy decision (Article 45), following the March 2022 announcement of the Trans-Atlantic Data Privacy Framework.