Select your country to see what you need to do before transferring personal data across borders. Covers adequacy frameworks, available transfer mechanisms, and practical compliance steps.
Select the country where your organisation is established or from which you are exporting personal data:
Available Transfer Mechanisms
Practical Compliance Checklist
Case workspace
Build, save and export this legal workflow
This workspace turns the transfer risk map result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.
Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.
Observed feature pattern
Mature privacy tools scan or map real processing activity, then connect policies, cookie choices, DSARs, consent logs and regulator evidence.
They preserve an audit trail instead of leaving users with a static policy that drifts away from the product.
They route high-risk processing into DPIA, breach and processor-contract workflows before launch or vendor onboarding.
Implemented on this app
This page now asks for matter, country or regime, date, status, evidence and risk flags before the user exports a note.
The app-specific checklist is not generic: it starts with "Map hosting, support, analytics, email, backup and AI vendors by country".
Saved workflows can be resumed from the dashboard and handed off to DPA Generator when the matter naturally continues.
The PDF/export moment is a value-after-result gate, so users can still use the tool first and only share email when saving the report.
Best next move
Whether the transfer goes to an adequate, comparable, approved or restricted destination
Map hosting, support, analytics, email, backup and AI vendors by country
Assuming โcloudโ means the data stays local
Reviewed 28 April 2026 ยท 16 core privacy regimes
Transfer risk map
Cross-border transfers need a country, recipient, purpose, safeguard and fallback plan. The safest output is a transfer register with evidence for every destination.
Decisions this clarifies
Whether the transfer goes to an adequate, comparable, approved or restricted destination
Whether standard clauses, consent, contract necessity, regulator approval or another safeguard is needed
Whether onward transfers by cloud, payroll, CRM, AI or analytics vendors create hidden exposure
Before you rely on it
Map hosting, support, analytics, email, backup and AI vendors by country
Attach the DPA, transfer clause and security summary to each transfer entry
Review transfers when vendors add sub-processors or move hosting regions
Red flags
Assuming โcloudโ means the data stays local
Using consent for employee or essential-service transfers where consent is not freely given
Ignoring regulator approval or notification rules for high-risk transfers
Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.
Capture
Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Whether the transfer goes to an adequate, comparable, approved or restricted destination.
Attach
Map hosting, support, analytics, email, backup and AI vendors by country. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.
Escalate
If you see this risk, pause and get qualified help: Assuming โcloudโ means the data stays local.
Paste this into your matter file, compliance folder, board pack, or lawyer handoff.
Cross-Border Data Transfer Rules in Africa
Transferring personal data across national borders is increasingly regulated across Africa. Most African data protection laws require organisations to ensure that personal data transferred outside the country receives an equivalent level of protection to that guaranteed domestically.
The mechanisms available for cross-border transfers vary by country. Standard Contractual Clauses (SCCs) โ pre-approved contractual terms that impose data protection obligations on the recipient โ are widely recognised. Adequacy decisions, where the regulator formally recognises another country's laws as providing equivalent protection, are less common in Africa than in the EU context but are developing.
Nigeria's NDPA 2023 permits cross-border transfers to countries with adequate protection or through prescribed safeguards including Data Processing Agreements with SCCs.
South Africa's POPIA permits transfers to countries with adequate protection or through binding corporate rules, contractual clauses, or data subject consent.
Kenya's DPA 2019 requires equivalent protection in the destination country or ODPC approval for transfers to countries without equivalent laws.
The African Union's harmonisation initiative aims to create mutual adequacy recognition between AU member states.
Disclaimer
This tool provides general information and educational resources only. Not legal advice. Cross-border transfer requirements evolve rapidly. Always verify current requirements with the relevant data protection authority and consult qualified legal professionals.