TIA – The Transfer Impact Assessment

What is the Transfer Impact Assessment?

If personal data is transferred to so-called unsafe third countries outside the EU, such as the USA, Standard Contractual Clauses (SCCs) are no longer sufficient on their own. Since the Schrems II ruling by the ECJ, a Transfer Impact Assessment (TIA) is additionally required. This obliges companies to individually assess the level of data protection in the third country.

A TIA is a risk assessment: It examines whether the data importer in the destination country is subject to laws that could be incompatible with the GDPR and the SCCs – for example, due to government access rights without adequate legal protection.

According to Clause 14 of the SCCs, this analysis must always be conducted on a case-by-case basis. Since there is currently no standardized method, it is advisable to develop a documented assessment approach internally. The French data protection authority CNIL published a practical guide on this in 2025. Even if the new EU-US Data Privacy Framework simplifies certain transfers, a GDPR-compliant TIA remains mandatory in many cases – especially if no adequacy decision exists or supplementary guarantees are necessary.

How is a TIA conducted?

A Transfer Impact Assessment is concluded in addition to the Standard Contractual Clauses and serves to assess whether laws exist in the third country that allow authorities extensive access to personal data. If the assessment is negative, no SCCs may be concluded – the transfer would be unlawful in this case.

But how can a TIA be implemented in practice in compliance with GDPR? In the next section, we show which content should be considered and how to structure a TIA effectively.

What does the practical implementation of TIA look like and what should you pay attention to

For clarity, TIAs should ideally be prepared in tabular form. The following questions must be answered in parallel with the SCCs:

General Section:

• The exact designation of the two contracting parties (data exporter and data importer)
• Legal basis for data transfer according to Art. 44 et seq. GDPR
• Details of the data transfers
• Review interval for when a re-evaluation of the TIA is advisable

Transfer circumstances ("Specific circumstances of the transfer" according to Clause 14 lit. b point i of the SCC):

• Type of data transfer
• Categories and format of personal data
• Transfer channels, intended processing chain, and storage location and type

Applicable laws of the destination country (Clause 14 lit. b point ii of the SCC)

• Which data protection laws apply in the destination country regarding personal data?
• It makes sense to include, in particular, laws that require the disclosure of or access to data by authorities, such as the US CLOUD Act in the USA.

Additional Safeguards (Clause 14 lit. b point iii of the SCC)

• As part of the SCC, there have already been technical and organizational measures (TOM) defined. These TOMs should also be listed again here.
• Are there any further measures planned during the transmission and/or processing of personal data in the destination country?

Conclusion & Summary 

• Ultimately, all points must be weighed against each other. The positive or negative outcome must be documented and explained in detail. It is important that the decision of this assessment is comprehensible to third parties.
• If the outcome is indeed negative, the deficiencies must be addressed. In the worst case, the SCC cannot be concluded.

Preparing a TIA requires some time, but most of the information can be extracted from the SCC documents.
If you are unsure whether the TIAs you have prepared are sufficient, contact an external data protection officer. Because only correctly concluded SCCs protect you and your company from a fine in the event of a claim.