CrossBorderTransferLog — Personal-Data Cross-Border Transfer Register
22 active cross-border data transfers with mechanism (SCC 2021/914 / EU-US DPF / adequacy decision / BCR / Art 49 derogation / consent). Per transfer: source jurisdiction, destination, data category, lawful basis, Schrems II TIA, frequency. Surfaces 3 with pending TIA + 1 Art 49 derogation overuse.
What it is
The Art 30(2) processor-side transfer register. DataMapInventory captures processing activities; CrossBorderTransferLog captures the specific transfers each activity creates.
What’s in it
- 22 active transfers across 6 mechanisms (EU-US DPF, SCC 2021/914, intra-EU adequacy, BCR, Art 49 derogation, consent)
- Per transfer: source → destination, data category, lawful basis, frequency, volume, Schrems II TIA status
- Worst-offender: CB-021 recurring Art 49 derogation (EDPB Guidelines 02/2018 explicitly prohibits — must convert to SCC); 3 transfers with TIA pending (Twilio, OpenAI, Anthropic — cross-references DPADeskbook)
Why this shape
GDPR Art 44-49 governs cross-border transfers. SCC 2021/914 + EU-US DPF Decision 2023/1795 are the two major mechanisms. EDPB Recommendations 01/2020 require a Transfer Impact Assessment for non-adequate destinations.
How it ships
Single HTML file, ~13KB. Zero dependencies. 22 transfers × mechanism/status filters in 100 lines of vanilla JavaScript.