Transfer impact assessment
A transfer impact assessment (TIA) is the case-by-case evaluation required after the Schrems II ruling to determine whether a transfer of personal data to a third country ensures an essentially equivalent level of protection despite standard contractual clauses.
A transfer impact assessment (TIA) is a documented risk evaluation in which a controller or processor assesses, before transferring personal data to a third country, whether the chosen safeguard under Art. 46 GDPR - in practice usually the standard contractual clauses - actually provides a level of protection in the recipient country that is essentially equivalent to that of the EU. The TIA became mandatory through the judgment of the Court of Justice of the European Union of 16 July 2020 (Case C-311/18, "Schrems II"): the Court invalidated the EU-US Privacy Shield and made clear that standard contractual clauses alone are insufficient where the law of the recipient country - such as far-reaching government access powers - undermines the contractual commitments.
Methodologically, the TIA follows the six-step framework set out by the European Data Protection Board in its Recommendations 01/2020: mapping all transfers ("know your transfers"), identifying the transfer tool under Art. 46 GDPR, assessing the effectiveness of that tool in light of the legal situation and practice in the third country, adopting supplementary measures where necessary, taking any formal procedural steps, and finally re-evaluating at appropriate intervals. The assessment focuses in particular on the surveillance and access laws of the third country (for the United States, notably Section 702 FISA and Executive Order 12333), the remedies available to data subjects, and the specific circumstances of the transfer such as the type of data, the recipients involved and the sensitivity of the information.
If the TIA reveals that the contractual level of protection is compromised by the third country's law, the transfer must be secured through supplementary measures - for example strong end-to-end encryption with keys managed exclusively within the EU, pseudonymisation, or additional contractual and organisational guarantees. Where the risks cannot be effectively addressed, the transfer must be suspended or not carried out. For transfers to the United States, the adequacy decision on the EU-U.S. Data Privacy Framework (July 2023) has eased the situation, but only for certified recipients; for all other third country transfers the TIA remains a central, demonstrable compliance instrument and an expression of the accountability principle under Art. 5(2) GDPR.
Legal Basis
Art. 44–46 GDPR; CJEU judgment of 16 July 2020, C-311/18 (Schrems II); EDPB Recommendations 01/2020; Art. 5(2) GDPR (accountability)
Practical Example
A mid-sized company adopts a US cloud CRM whose provider requires support access from the United States and India. The data protection officer prepares a TIA: she maps the customer and contact data being transferred, identifies the standard contractual clauses as the transfer tool, and assesses the US legal situation under Section 702 FISA. Because the provider is not certified under the Data Privacy Framework, she agrees on supplementary measures such as encrypted data storage with EU-side key management, a transparency register for government access requests, and restrictions on remote access. The complete TIA is filed in the records of processing activities and re-evaluated annually.