Cross-border data transfer record / inventory

Description

Companion to the cross-border-transfer-mechanism control. Where the mechanism control documents the legal basis per data-flow, this one is the operational inventory: every category of personal data leaving the source jurisdiction, the recipient organization + country, the data subjects affected, the retention applied at the recipient, and the executed transfer mechanism. Regulators (EDPB / ICO / CNIL / Brazil ANPD) increasingly request this in inquiries; the record is also the practical foundation for Records of Processing Activities (ROPA) under GDPR Article 30. Vendor support comes from data-mapping tooling that auto-discovers processor relationships from SaaS integrations + scans data flow patterns.

Required by (2 regulations)

• GDPR

  Article 30 — records of processing activities must capture transfers to third countries including documentation of suitable safeguards under Articles 46 or 49.

  GDPR Art. 30

• UK GDPR

  Article 30 (UK GDPR retained) — equivalent records-of-processing duty for UK controllers; ICO inquiries reference these directly.

  UK GDPR Art. 30

Fulfilled by (4)

• onetrust · full · medium effort · $$$
  OneTrust Data Mapping module auto-discovers third-party data flows + generates Article 30 records.
• osano · partial · low effort · $$
  Osano vendor monitoring + data flow assessment; pair with manual SCC tracking for full coverage.
• transcend · partial · medium effort · $$$
  Transcend Inventory module — automated data flow discovery + per-system data subject category mapping.
• In-house build · high effort
  Maintain in a vendor-management system or spreadsheet; pair with Records of Processing Activities (ROPA) workflow under GDPR Art 30.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

• transfer inventory spreadsheet / system
• Records of Processing Activities (GDPR Art 30) export
• processor risk-assessment per recipient
• retention schedule per data category