What is a restricted or cross-border transfer?

It is any transfer of personal data to a recipient outside the EEA (for GDPR) or outside the UK (for UK GDPR), including remote access from abroad. Chapter V of the GDPR requires a lawful transfer mechanism for every such transfer.

When can I rely on an adequacy decision?

When the destination has been formally recognised by the EU Commission or the UK as providing essentially equivalent protection. Adequacy means you can transfer freely with no extra safeguard, though you should keep monitoring that the decision remains in force.

What is the difference between SCCs and the IDTA?

Standard Contractual Clauses are the EU's modular 2021 contract for transfers out of the EEA. The UK uses its own International Data Transfer Agreement (IDTA) or a UK Addendum bolted onto the EU SCCs. Both require a transfer risk assessment of the destination.

When can I use an Article 49 derogation?

Derogations such as explicit consent or contractual necessity are a last resort for occasional, non-repetitive transfers of limited data. They cannot be used for routine or large-scale flows, where SCCs, the IDTA, or BCRs are required instead.

Does this replace legal advice?

No. It uses a simplified adequacy list and standard decision logic to point you to the likely mechanism. Adequacy decisions and surveillance assessments change frequently, so confirm with current ICO and EU guidance and take professional advice.

Data Transfer Mechanism Selector (GDPR / UK GDPR)

Moving personal data across borders under the GDPR or UK GDPR means picking a lawful transfer mechanism from Chapter V. This selector walks the decision tree the way a data protection officer would — adequacy first, then contracts, then narrow derogations — and tells you the exact article that applies.

How it works

Chapter V sets a priority order for cross-border transfers:

Adequacy (Art. 45) — if the destination has an adequacy decision, you can transfer freely with no extra safeguard.
Appropriate safeguards (Art. 46) — otherwise use a contract: EU Standard Contractual Clauses for an EU exporter, or the IDTA / UK Addendum for a UK exporter, paired with a transfer risk assessment.
Binding Corporate Rules (Art. 47) — for intra-group transfers in large multinationals, once approved by a supervisory authority.
Derogations (Art. 49) — explicit consent or contractual necessity, only for occasional, limited transfers.

The tool applies these in order based on your answers, including the special case of certified US recipients under the Data Privacy Framework.

Example and notes

An EU company sending customer records to a US analytics vendor that is not DPF certified lands on the EU SCCs plus a transfer risk assessment and supplementary measures such as encryption. The same flow from a UK exporter uses the IDTA or the UK Addendum instead. A single, consented export of one record to wrap up a contract can rely on an Article 49 derogation. Adequacy lists change often, so treat the built-in list as illustrative and verify before relying on it.