ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Cross-border data transfer mechanism

cross-border-transfer-mechanismDomain: data-transfersType: mixed

Description

Every regulated jurisdiction with a comprehensive data-protection law restricts the transfer of personal data outside the jurisdiction's borders unless the receiving country provides comparable protection OR the controller has implemented an approved transfer mechanism. The control documents which mechanism is in place per data-flow: adequacy decisions (e.g. UK, Switzerland, Japan, EU-US Data Privacy Framework for self-certified US recipients), Standard Contractual Clauses (SCCs) supplemented by transfer impact assessments, Binding Corporate Rules for intra-group transfers, derogations under GDPR Art 49 (explicit consent, contract necessity, public interest), or technical safeguards like data residency that avoid the transfer in the first place. The companion control 'cross-border-transfer-record' captures the inventory of flows + mechanism per flow.

Required by (3 regulations)

  • GDPR

    Chapter V (Articles 44-50) — restricted transfers to third countries; permitted only with adequacy decision, SCCs / BCRs / approved code of conduct + supplementary measures, or Article 49 derogations.

    GDPR Art. 44-50

  • PIPL

    Article 38 — outbound transfers from China require security assessment, certification, standard contract, or other CAC-approved mechanism.

    PIPL Art. 38

  • LGPD

    Article 33 — international transfers permitted only to countries with adequate protection or with specific guarantees (SCCs, BCRs, specific consent, contract necessity).

    LGPD Art. 33

Fulfilled by (3)

  • aws-regions · partial · medium effort · $$
    AWS region selection enables data-residency-based avoidance of cross-border transfer in the first place; pair with KMS region-scoping for full residency.
  • google-cloud-regions · partial · medium effort · $$
    GCP regional storage + multi-region replication policies; pair with Customer-Managed Encryption Keys for residency assurance.
  • In-house build · high effort
    Execute SCCs / DTAs with each non-adequate-jurisdiction processor; maintain TIAs per flow; track in vendor-management system.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • transfer mechanism matrix (flow × mechanism)
  • executed SCCs / DTAs
  • transfer impact assessment (TIA)
  • data residency configuration (when applicable)

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy