Data TransfersUpdated June 3, 20268 min read

Transfer Impact Assessments under GDPR: A Post-Schrems II Compliance Guide

A Transfer Impact Assessment (TIA) is the documented due-diligence exercise an EEA data exporter must complete, after the CJEU's Schrems II ruling (Case C-311/18, 2020), to verify that the laws and practice of the destination country give personal data essentially equivalent protection before it is sent abroad under Standard Contractual Clauses or another Article 46 transfer tool. This guide explains what a TIA is, when one is required, whether it is legally required in Ireland and the UK, and how to carry one out step by step.

Abstract illustration of data transfers across borders

Key takeaways

  • A TIA is the Schrems II due diligence — required by Case C-311/18 (2020) whenever an EEA exporter transfers personal data to a third country without an EU adequacy decision and relies on Standard Contractual Clauses or Binding Corporate Rules (Article 46).
  • It is legally required in both Ireland and the UK. The Data Protection Commission (DPC) enforces it under EU GDPR Article 46 in Ireland; the Information Commissioner's Office (ICO) enforces the equivalent UK GDPR duty and publishes its own TRA tool. A single assessment that covers both exporter perspectives can satisfy both regulators.
  • SCCs alone are not enough. The DPC's EUR 1.2bn Meta Ireland decision (May 2023, EDPB-binding under Article 65) confirmed that signing SCCs without a documented destination-country assessment and effective supplemental measures is not defensible.
  • EEA-held encryption keys are the de facto baseline. Under EDPB Recommendations 01/2020, strong encryption with keys held in the EEA — combined with contractual and organisational measures — is the most defensible supplemental measure for high-risk transfers.

He who transfers must assess

The Court of Justice of the European Union (CJEU) ruling in Schrems II fundamentally altered the mechanism of international data transfers. Invalidating the EU-US Privacy Shield was the headline; the imposition of a requirement to verify the "essential equivalence" of protection in the destination country was the operational reality that followed.

Standard Contractual Clauses (SCCs) remain the primary vehicle for most transfers, but they are no longer a "sign and forget" instrument. A TIA is the due diligence that proves the SCCs can actually be respected in practice, given the laws and surveillance practices of the recipient country.

How do you carry out a TIA? (step by step)

A defensible TIA follows six action steps that map to the EDPB's Recommendations 01/2020 methodology. Document each step as a dated decision so two assessors reach the same conclusion and the DPC or ICO can follow the reasoning.

  1. Map the transfer. Document the specific data categories, the importer and any sub-processors, the technical route (API, batch file, remote access), and the processing purpose. You cannot assess what you have not documented, and this maps directly to your Article 30 record.
  2. Identify the transfer tool. Confirm the Article 46 instrument relied upon — for most commercial vendors the 2021 Standard Contractual Clauses (Module 2 for controller-to-processor) — and record the correct module.
  3. Assess the destination country's law and practice. Determine whether local law lets public authorities access the data beyond what is necessary and proportionate. For US transfers this focuses on FISA 702 and Executive Order 12333.
  4. Adopt supplemental measures. Where the legal assessment reveals gaps, add technical, contractual, or organisational safeguards to fill them (see below).
  5. Document the assessment and the decision. Record the conclusion, the residual risk, and who approved the transfer, and link the TIA to the matching Article 30 entry so the evidence is navigable in an inquiry.
  6. Re-evaluate on a schedule and on change. Reassess when destination-country guidance, the sub-processor chain, or an adequacy decision changes — a TIA is a living record, not a one-off form.

Supplemental measures (step 4) generally combine three types; technical measures carry the most weight because, if the data is unintelligible to the surveillance authority, the access risk is effectively neutralised.

  • Technical measures: encryption in transit and at rest with keys managed in the EEA or another adequate country — the gold standard under EDPB Recommendations 01/2020.
  • Contractual measures: commitments to challenge access requests, notify the exporter of compelled disclosure, and publish transparency reports.
  • Organisational measures: policies on handling government requests, internal escalation, and staff training.

Automating the Complexity

Given the complexity of international laws, manual TIAs are prone to inconsistency. Acompli approaches this by structuring the TIA as a workflow:

By leveraging a knowledge base of country-specific legal assessments, Acompli allows DPOs to focus on the specific facts of the transfer—the "what" and "how"—while the platform surfaces the relevant "where" risks. This ensures that a transfer to a US cloud provider is assessed consistently across the organisation, rather than depending on which project manager fills out the form.

What is the difference between a TIA and a DPIA?

A Transfer Impact Assessment and a Data Protection Impact Assessment are different instruments that are often confused. A TIA (Schrems II, Article 46) asks whether a specific international transfer can be made lawfully; a DPIA (GDPR Article 35) asks whether a high-risk processing activity can be done lawfully at all. They can overlap — a high-risk processing activity that also transfers data outside the EEA needs both.

Transfer Impact Assessment (TIA)Data Protection Impact Assessment (DPIA)
Legal basis: Schrems II (Case C-311/18) and GDPR Article 46.Legal basis: GDPR Article 35.
Question: can this transfer to a third country be made lawfully?Question: is this high-risk processing activity lawful, necessary, and proportionate?
Trigger: any transfer outside the EEA to a non-adequacy country relying on SCCs or BCRs.Trigger: processing likely to result in a high risk to individuals.
Core output: destination-country legal assessment plus supplemental measures.Core output: risk-and-mitigation analysis and DPO advice before processing begins.

For the full Article 35 requirement — when a DPIA is mandatory in Ireland and the UK, what it must contain, and how to carry one out — see our DPIA guide.

Conclusion

The era of unchecked data flows is over. However, compliance need not mean data localisation. A robust, documented TIA process—supported by technical measures like own-key encryption—allows global business to continue while respecting the fundamental rights of data subjects.

Schrems II Transfer Impact Assessment FAQ

What is a Transfer Impact Assessment (TIA) under Schrems II?

A Transfer Impact Assessment is the due-diligence exercise required after the CJEU's Schrems II ruling (Case C-311/18, 2020) to verify that the laws and practice of the destination country provide essentially equivalent protection to EU law for a specific international personal data transfer. The TIA documents the transfer, the Article 46 transfer tool (typically Standard Contractual Clauses), the third-country legal assessment, and any supplemental technical, contractual, or organisational measures applied.

Did Schrems II make Standard Contractual Clauses (SCCs) invalid?

No. The CJEU's Schrems II ruling invalidated the EU-US Privacy Shield but expressly upheld Standard Contractual Clauses as a valid Article 46 transfer mechanism. However, exporters can no longer rely on SCCs alone: they must assess whether the destination country's laws allow the SCC obligations to be respected in practice, and adopt supplemental measures where they cannot. This is the operational obligation that a Transfer Impact Assessment satisfies.

When is a Schrems II Transfer Impact Assessment required?

A TIA is required whenever personal data is transferred from the EEA to a third country that does not have an EU adequacy decision and the exporter relies on an Article 46 transfer tool such as Standard Contractual Clauses or Binding Corporate Rules. It also applies to onward transfers by processors and sub-processors. Transfers to adequacy-decision countries (for example, the UK, Switzerland, and the EU-US Data Privacy Framework participants) do not require a TIA in the same form, but the underlying assessment of essentially equivalent protection still informs supplier diligence.

What supplemental measures are commonly used after Schrems II?

Following the EDPB's Recommendations 01/2020, the most defensible supplemental measure is strong encryption with keys held in the EEA or another adequate jurisdiction, so that data is unintelligible to public authorities in the destination country. Contractual measures (commitments to challenge access requests, transparency reports, notification of compelled disclosure) and organisational measures (policies on handling government requests, internal escalation, staff training) are typically used in combination with technical measures rather than as standalone safeguards.

Who needs to complete a Transfer Impact Assessment?

The data exporter is responsible for completing the TIA. In practice this is the controller or processor in the EEA that is sending personal data outside the EEA. Importers are obliged under the SCCs to cooperate with the assessment, including providing information about local laws and government access requests, and the exporter's Article 30 record of processing activities should reflect each transfer.

Primary sources

  1. EDPB Recommendations 01/2020 on measures that supplement transfer tools (Version 2.0, adopted 18 June 2021) — the six-step methodology.
  2. CJEU, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18, “Schrems II”), 16 July 2020.
  3. GDPR Chapter V, Article 46 — transfers subject to appropriate safeguards (EUR-Lex, Regulation (EU) 2016/679).