Transfer Impact Assessment (TIA)

A Transfer Impact Assessment evaluates whether a destination country's laws and practices provide essentially equivalent protection for transferred personal data. Required by Schrems II for all non-adequate-country transfers under SCCs.

Why TIAs exist

The Schrems II decision held that the use of SCCs is not enough by itself when the destination country's law allows public-authority access inconsistent with EU fundamental rights. The exporter must assess the local legal landscape and determine whether the SCCs (potentially supplemented) provide essentially equivalent protection. The EDPB recommendations 01/2020 set out the six-step methodology. The exercise is sometimes called a Transfer Risk Assessment (TRA) instead; the UK ICO adopted the TRA terminology.

The six steps

EDPB methodology: (1) Know your transfers — map them. (2) Identify the transfer tool (SCCs, BCRs, adequacy, derogations). (3) Assess the importer country's laws and practices, focusing on access by public authorities (intelligence, law enforcement, judicial). (4) Identify supplementary measures if the assessment shows the tool is insufficient (encryption, pseudonymization, additional contractual safeguards). (5) Take procedural steps to adopt the supplementary measures. (6) Re-evaluate at appropriate intervals. Documentation of the assessment is required and may be requested by supervisory authorities.

TIAs for AI vendors

AI vendors commonly maintain a "TIA pack" for procurement: a country-by-country assessment for each major customer-data destination, the supplementary measures applied at each, and the residual risks. Buyers often request this pack under NDA rather than performing their own TIA from scratch. For destinations with negative case law (China, Russia), most enterprise buyers will not accept SCCs even with supplementary measures and will require regional data residency or skip the vendor.