Moving personal data across borders under the GDPR or UK GDPR means picking a lawful transfer mechanism from Chapter V. This selector walks the decision tree the way a data protection officer would — adequacy first, then contracts, then narrow derogations — and tells you the exact article that applies.
How it works
Chapter V sets a priority order for cross-border transfers:
- Adequacy (Art. 45) — if the destination has an adequacy decision, you can transfer freely with no extra safeguard.
- Appropriate safeguards (Art. 46) — otherwise use a contract: EU Standard Contractual Clauses for an EU exporter, or the IDTA / UK Addendum for a UK exporter, paired with a transfer risk assessment.
- Binding Corporate Rules (Art. 47) — for intra-group transfers in large multinationals, once approved by a supervisory authority.
- Derogations (Art. 49) — explicit consent or contractual necessity, only for occasional, limited transfers.
The tool applies these in order based on your answers, including the special case of certified US recipients under the Data Privacy Framework.
EU versus UK: two regimes, different tools
The EU and UK have diverged since Brexit. An EU exporter sending data to the US must use the 2021 EU Standard Contractual Clauses (which replaced the old 2010 SCCs). A UK exporter sending the same data must use either the UK International Data Transfer Agreement (IDTA) or the old EU SCCs supplemented by the UK Addendum — the EU SCCs alone are not sufficient for a UK-to-third-country transfer.
If you are a multinational with both an EU entity and a UK entity transferring to the same US vendor, you may need both: EU SCCs for the EU leg and the IDTA for the UK leg. The selector distinguishes these regimes based on which data-protection law governs the exporter.
The Data Privacy Framework special case
US recipients that are certified under the EU-US Data Privacy Framework (DPF) benefit from an adequacy-equivalent status for EU transfers — no SCCs needed, provided the recipient’s certification is active. This does not apply to UK transfers; the UK has its own adequacy decision for the US that operates on different terms.
Always verify DPF certification at the official DPF list before relying on it, since certification can lapse.
Worked examples
Example 1 — Routine analytics to a non-DPF US vendor (EU exporter): Adequacy does not cover the US generally. The appropriate mechanism is the EU SCCs, module 2 (controller to processor), combined with a Transfer Impact Assessment documenting supplementary measures such as encryption and pseudonymisation.
Example 2 — Same flow from a UK subsidiary: Use the IDTA or the EU SCCs with the UK Addendum. A Transfer Risk Assessment is still required.
Example 3 — One-time employee relocation data sent to a non-adequate country: An Article 49(b) derogation may apply if the transfer is necessary to perform a contract with the data subject. Document the necessity and keep it as a genuine exception, not a workaround for routine flows.
Example 4 — Intra-group HR data across 20 countries (large multinational): Binding Corporate Rules, once approved, cover all the group entities listed. The approval process is long (typically 12–24 months) but removes the need to execute SCCs with every internal entity.
Transfer Risk Assessment: the step people skip
Both the EU SCCs and the UK IDTA require a documented Transfer Impact Assessment (TIA) or Transfer Risk Assessment (TRA) evaluating whether the destination country’s laws allow the contractual protections to work in practice. This is not optional. Supervisory authorities have enforced this requirement, and contracts alone are insufficient without the assessment. The selector flags when a TIA/TRA is required alongside the chosen mechanism.