A Transfer Impact Assessment is the controller's documented analysis of whether transferring personal data to a particular non-EEA jurisdiction can be done in a way that preserves essentially equivalent protection to GDPR.
The TIA was made mandatory by the Court of Justice of the European Union's 2020 Schrems II judgment, which struck down the Privacy Shield and held that exporters relying on SCCs must verify, on a transfer-by-transfer basis, that the importing country's law and practice don't undermine the SCCs.
What a TIA covers
The European Data Protection Board's Recommendations 01/2020 lays out a six-step methodology, but the core questions are:
- What data is being transferred, where, and to whom?
- What transfer mechanism are you relying on? (SCCs, BCRs, derogation under Article 49.)
- What is the law and practice of the importing country? Particular focus on government access to data — surveillance laws, lawful intercept regimes, gag orders preventing the importer from notifying the exporter.
- Are there gaps between that country's protections and EU equivalent?
- What supplementary measures close those gaps? Encryption with keys held only in the EU, pseudonymisation, contractual commitments, transparency reporting.
- Is the residual risk acceptable?
If the residual risk after supplementary measures is still unacceptable, the transfer cannot lawfully take place.
Practical realities
For most US vendors, the EU-US Data Privacy Framework (in effect since July 2023) functions as an adequacy decision for participating companies — a TIA is still recommended but the bar is lower. For non-DPF transfers to the US, and for most other non-adequate jurisdictions, the TIA is real work and has to be revisited whenever the vendor's processing changes (new subprocessor in a high-risk country, new data flows, new legal landscape in the importing country).
A TIA written in 2022 and never reviewed since is not, in practice, an active TIA.