Since the Schrems II ruling invalidated the EU-US Privacy Shield, every organization transferring personal data outside the EU/EEA using Standard Contractual Clauses (SCCs) must conduct a Transfer Impact Assessment (TIA). This guide provides a practical, step-by-step template you can follow immediately.
What Is a Transfer Impact Assessment?
A TIA evaluates whether the legal framework of the destination country provides "essentially equivalent" protection to EU law. It's required by the EDPB's post-Schrems II recommendations (Recommendations 01/2020) and is a condition for valid SCCs.
Without a documented TIA, your SCCs are not valid, and the transfer is unlawful.
When You Need a TIA
- Using SCCs (Standard Contractual Clauses) for data transfers
- Relying on Binding Corporate Rules (BCRs)
- Using Article 49 derogations for non-occasional transfers
- Transferring to a country without an EU adequacy decision
When you don't need a TIA: Transfers to countries with an EU adequacy decision (UK, Japan, South Korea, Canada for PIPEDA-covered entities, Israel, Switzerland, etc.) or transfers to US companies certified under the EU-US Data Privacy Framework.
6-Step TIA Template
Step 1: Map the Transfer
Document the specifics of your data transfer:
| Element | Document |
|---|---|
| Data exporter | Your organization name, role (controller/processor) |
| Data importer | Recipient name, country, role |
| Categories of data | What personal data is transferred |
| Categories of data subjects | Customers, employees, prospects, etc. |
| Purpose of transfer | Why the data is sent |
| Transfer mechanism | SCCs, BCRs, or derogation |
| Onward transfers | Does the importer transfer data further? |
Step 2: Identify the Transfer Mechanism
Confirm which GDPR Article 46 mechanism you're using:
- New SCCs (June 2021): The European Commission's standard contractual clauses. Make sure you're using the current version — old SCCs expired in December 2022.
- BCRs: For intra-group transfers within multinational organizations. Require DPA approval.
- Codes of Conduct / Certifications: Sector-specific approved mechanisms.
Step 3: Assess Third-Country Laws
This is the core of the TIA. Evaluate whether the destination country's laws undermine the protections in your SCCs:
- Government surveillance laws: Can authorities compel the importer to disclose data? Under what conditions?
- Access without judicial oversight: Can intelligence agencies access data without a court order?
- Bulk collection: Does the country engage in mass/indiscriminate surveillance?
- Effective remedies: Can EU data subjects challenge government access in that country's courts?
- Independent oversight: Is there an independent authority supervising government surveillance?
For US transfers: assess FISA 702, Executive Order 12333, and the protections introduced by Executive Order 14086 (which underpins the EU-US DPF).
Step 4: Evaluate Whether Protections Are Essentially Equivalent
Compare the third-country framework against EU standards. Consider:
- Is government access limited to what is necessary and proportionate?
- Are there clear, precise, and accessible rules governing access?
- Is independent oversight effective and functioning?
- Are effective legal remedies available to EU data subjects?
If protections are not equivalent: You must identify supplementary measures (Step 5) or suspend the transfer.
Step 5: Implement Supplementary Measures
If the legal assessment reveals gaps, consider these supplementary measures:
| Type | Measure | Effectiveness |
|---|---|---|
| Technical | End-to-end encryption (where importer has no key) | Strong |
| Technical | Pseudonymization before transfer | Strong |
| Technical | Split processing (no single party has full data) | Strong |
| Contractual | Transparency reporting obligations | Moderate |
| Contractual | Importer commits to challenge government requests | Moderate |
| Contractual | Warrant canary clauses | Limited |
| Organizational | Strict access controls and audit rights | Moderate |
| Organizational | Internal policies to resist unlawful requests | Limited |
Important: If the importer needs to access data in the clear (e.g., a SaaS provider processing data), encryption alone won't prevent government access. You may need additional contractual and organizational measures — or consider EU-based alternatives.
Step 6: Document, Review, and Monitor
- Document your entire assessment in writing
- Include the analysis, conclusions, and supplementary measures
- Set a review date (at least annually)
- Monitor legislative changes in the destination country
- Be prepared to suspend transfers if circumstances change
- Keep the TIA available for your supervisory authority
Quick Reference: Common Transfer Destinations
| Country | TIA Required? | Key Consideration |
|---|---|---|
| US (DPF-certified) | No | Adequacy decision covers |
| US (non-DPF) | Yes | FISA 702, EO 14086 remedies |
| UK | No | Adequacy (review due 2025) |
| India | Yes | New DPDPA; government access breadth |
| China | Yes | Broad government access; localization requirements |
| Australia | Yes | Encryption access laws (TOLA Act) |
| Brazil | Yes | LGPD provides moderate protection |
| Japan | No | Adequacy decision |
Next Steps
Start by identifying all your cross-border data transfers. PrivacyChecker detects third-party services loading on your website that transfer data internationally — including analytics, CDNs, fonts, and embedded content. Run a free scan to map your data flows.