Create a transfer impact assessment – review third-country transfers after Schrems II

1. Create:
In the left menu under „Risks" click „Transfer impact assessments". Via „New" you create an assessment – blank, from sample documents, or as an uploaded file.

2. General and reference to processing:
Set the name and status (e.g. „Act / review") and, under „Reference to processing activities", link the processing in whose context the transfer takes place.

3. Actors:
Capture the data exporter and the data importer (in the third country) – conveniently via „Load from contacts" or your own organisation. Additional data recipients such as sub-processors are documented with the description of the data transfer.

4. Description of the transfer:
Document the start date, transmission channels, data categories and storage location. Content can be pulled from the linked processing activity.

5. Third-country legislation:
Assess the legal situation with an assessment period, relevant legislation (e.g. FISA 702, CLOUD Act) and prior authority disclosure requests.

6. Guarantees:
Link technical and organisational measures (TOMs) and maintain the legal basis – e.g. standard contractual clauses (SCC 2021/914).

7. Assessment, measures and report:
Capture risks with probability of occurrence and severity – the risk mapping plots them automatically. Derive measures with an implementation due date and a status, record the overall memo in the report, and finally set the status (acceptable, act/review or unacceptable).

Tip: Set a follow-up for the end of the assessment period – that way the third-country evaluation never silently goes stale when the legal situation changes.