I had hoped to do an analysis of this on my blog over Xmas but ended up playing games with the family - much more productive.
The conclusion I have reached for the scenario where a third country controller (which could be UK post-brexit) uses an EU processor is that GDPR almost certainly applies "in full". That seems to be inevitable following Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
Whether Article 44 bites when the processor returns data, or when the controller access the data, depends on whether such activity is regarded as a transfer. If so Article 44 bites but in the first instance none of the mechanisms in Arts 45-46 seems to apply - in particular there are no approved SCC's - which indicates a problem.
On the other hand the fact that there are no SCCs and the Guidelines don't really address this directly may suggest that it is not actually a 'transfer' and looked at "in concreto" as we are urged to do an Art 28 agreement will suffice - noting in passing that so far as EU is concerned GDPR will apply and not the UK GDPR (Art 3).
If it is a transfer the obvious solution is Art 46(3)(a). Draft your own clauses - which should be relatively straightforward using the existing SCCs, transposing the terms and making consequential adjustments, and ask ICO to either (a) approve them or (b) confirm that no needed as no transfer involved.
If I was a cautious type I'd get on with this now
All archives of messages are stored permanently and are
available to the world wide web community at large at
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)