When Checkout.com sends personal data to countries outside the EU or UK, it uses legal transfer mechanisms such as Standard Contractual Clauses or adequacy decisions to provide a baseline level of data protection.
This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers mean personal financial and identity data may be processed in countries with different privacy laws, and the adequacy of protection depends on the specific mechanisms used and whether they remain legally valid under current rulings.
Interpretive note: The adequacy of specific transfer mechanisms depends on the destination country and supplementary measures in place, which the policy does not enumerate in detail; practical protection levels vary by transfer route.
EU and UK users' personal and financial data may be transferred to countries outside the EU/UK, including the United States, relying on Standard Contractual Clauses whose practical effectiveness depends on the transfer destination and any supplementary measures in place.
How other platforms handle this
If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those...
You will provide personal information directly to our website in the United States. We may also transfer personal information to our partners and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data prote...
ClickUp is based in the United States and the information we collect is governed by U.S. law. By accessing or using our Services or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries, where you may not have the same...
Monitoring
Checkout.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or UK International Data Transfer Agreements, or we rely on an adequacy decision.— Excerpt from Checkout.com's Checkout.com Privacy
1. REGULATORY LANDSCAPE: International data transfers engage GDPR Chapter V (Articles 44-49), UK GDPR Chapter V, and the ICO's international transfer framework. Standard Contractual Clauses must comply with the 2021 EU SCCs or UK IDTAs as applicable. Adequacy decisions relied upon must be current and not subject to pending legal challenge. The CJEU's Schrems II ruling established that SCCs alone may be insufficient without supplementary measures where the recipient country's surveillance laws do not meet EU standards. 2. GOVERNANCE EXPOSURE: Medium. Reliance on SCCs requires transfer impact assessments (TIAs) to evaluate whether the destination country's legal framework undermines the SCC protections, particularly for transfers to the United States given ongoing legal uncertainty prior to and following the EU-US Data Privacy Framework. Failure to conduct TIAs creates regulatory exposure. 3. JURISDICTION FLAGS: EU and UK data subjects have the strongest protections and the greatest regulatory scrutiny applies to transfers from those jurisdictions. Transfers to the US, India, and other countries without adequacy decisions require documented TIAs. Merchants with EU/UK customer data flowing through Checkout.com's processing infrastructure should map all transfer destinations. 4. CONTRACT AND VENDOR IMPLICATIONS: DPAs with Checkout.com should specify the transfer mechanisms used for each destination country and include the required SCC modules or IDTA addenda. Procurement teams should request a list of Checkout.com's subprocessors and their locations to assess transfer risk. Any adequacy decisions relied upon should be monitored for validity. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a register of international transfer mechanisms used by Checkout.com, conduct or request TIAs for high-risk transfer destinations, and monitor developments in EU-US data transfer adequacy. UK-specific IDTA requirements should be verified for UK-origin transfers separately from EU SCC compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers mean personal financial and identity data may be processed in countries with different privacy laws, and the adequacy of protection depends on the specific mechanisms used and whether they remain legally valid under current rulings.
EU and UK users' personal and financial data may be transferred to countries outside the EU/UK, including the United States, relying on Standard Contractual Clauses whose practical effectiveness depends on the transfer destination and any supplementary measures in place.
ConductAtlas has identified this type of provision across 48 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.