Transfer Impact Assessment (TIA): Complete Guide + Free Template

After Schrems II (CJEU, July 2020), every organization transferring personal data outside the EU/EEA must complete a Transfer Impact Assessment (TIA) before relying on Standard Contractual Clauses (SCCs) as a transfer mechanism. Without a documented TIA, your data transfers are legally non-compliant — regardless of whether you have SCCs in place.

This guide explains what a TIA is, when it’s required, the five-step process for completing one, and includes a free TIA template you can use or adapt.

What Is a Transfer Impact Assessment (TIA)?

A Transfer Impact Assessment (also called a Transfer Risk Assessment) is a documented analysis that evaluates whether a data transfer to a specific third country provides sufficient protection for EU personal data — equivalent to the protection it would have within the EU/EEA.

The TIA examines:

1. The laws and practices of the destination country (especially government surveillance and access rights)
2. Whether the transfer mechanism (e.g., SCCs) is actually effective given those laws
3. What supplementary measures (if any) are needed to fill any protection gap

The European Data Protection Board (EDPB) requires a TIA in its Recommendations 01/2020 on measures that supplement transfer tools — a binding document for all EU data protection authorities.

When Is a TIA Required?

A TIA is required whenever you transfer personal data from the EU/EEA to a third country without an adequacy decision, using:

• Standard Contractual Clauses (SCCs) — the most common mechanism
• Binding Corporate Rules (BCRs) — for intra-group transfers
• Codes of conduct or certification mechanisms (Article 46 GDPR)

Countries with adequacy decisions (no TIA needed for SCCs): UK, Switzerland, Japan, South Korea, Canada (commercial organizations), Israel, New Zealand, Uruguay, and a few others. Check the European Commission adequacy decisions list for the current status — adequacy decisions can be revoked.

Important: The EU-US Data Privacy Framework (2023) provides a new adequacy basis for transfers to certified US companies. Organizations relying on DPF certification still benefit from completing a TIA as due diligence documentation.

Common scenarios requiring a TIA:

• Transferring EU customer data to a US-based SaaS provider (CRM, analytics, HR systems)
• Using cloud infrastructure hosted outside the EU (AWS us-east, Azure US regions, GCP US)
• Engaging support teams or contractors in non-adequate countries
• Any sub-processor your processor engages in a non-adequate country

The 5-Step TIA Process

The EDPB recommends a structured five-step process for completing a Transfer Impact Assessment:

Step 1: Know your transfer

Document the transfer in detail:

• What categories of personal data are transferred?
• How many data subjects are affected?
• What is the purpose of the transfer?
• Who is the data importer (processor/controller in the third country)?
• What transfer mechanism are you using (SCCs, BCRs, DPF)?

This step corresponds directly to your Record of Processing Activities (RoPA) — if you maintain an accurate RoPA, you already have this information.

Step 2: Verify the transfer tool you’re relying on

Confirm that your transfer mechanism is valid and properly implemented:

• For SCCs: Are you using the 2021 European Commission SCCs? Are they correctly signed with the right module (Controller-to-Controller, Controller-to-Processor, Processor-to-Processor, or Processor-to-Controller)?
• For BCRs: Are they approved by a lead supervisory authority?
• For DPF: Is the US recipient currently certified under the Data Privacy Framework?

Step 3: Assess the third country’s legal framework

This is the core of the TIA. Evaluate whether the destination country’s laws could undermine the protections in your SCCs:

• Government access laws: Does the government have broad surveillance powers (e.g., US FISA Section 702, CLOUD Act, UK IPA)?
• Data subject rights: Can individuals in the third country enforce their rights, including against government access?
• Enforcement: Is there an independent, effective supervisory authority or judicial system?
• Rule of law: Does the country have independent judiciary and legal certainty?

Key sources for this assessment:

• EDPB country-specific recommendations
• Country reports from privacy advocates (e.g., IAPP, noyb)
• Vendor-provided third-country assessment documentation
• The data importer’s own disclosures

Step 4: Identify and adopt supplementary measures (if needed)

If the third country’s laws create a protection gap, you must implement supplementary measures before the transfer can proceed. The EDPB identifies three types:

Technical measures (most effective):

• End-to-end encryption where the importer does not hold the decryption key
• Pseudonymization before transfer (where re-identification is not possible in the third country)
• Split processing — no single entity in the third country has access to the full dataset

Contractual measures (effective when laws permit):

• Enhanced transparency obligations on the data importer
• Specific access limitation clauses
• Audit and inspection rights

Organizational measures:

• Internal policies limiting data access
• Staff training on handling government access requests
• Documented procedures for challenging access requests

If no effective supplementary measures exist and the third country’s laws fundamentally undermine SCC protections, the transfer must be suspended.

Step 5: Take formal procedural steps and document

Complete and sign the TIA documentation:

• Record the transfer details, legal basis, third-country assessment, and any supplementary measures
• Obtain internal sign-off (DPO, legal, management)
• Keep the TIA as part of your GDPR compliance evidence
• Review regularly — country assessments change, especially when adequacy decisions or government surveillance laws are amended

Free Transfer Impact Assessment Template

Use this template as a starting point for your TIA. A complete TIA covers all five EDPB steps and should be stored as a compliance document.

TRANSFER IMPACT ASSESSMENT (TIA)

Organization: _______________ Date completed: _______________ Reviewed by (DPO/Legal): _______________ Next review date: _______________

Section 1: Transfer Details

Section 2: Transfer Mechanism Verification

• SCCs are the 2021 European Commission standard contractual clauses
• Correct module selected for the transfer relationship
• SCCs are signed by both parties
• Appendices (description of transfer, security measures) are completed
• Any derogations or additions to SCCs are documented

Section 3: Third-Country Legal Assessment

Overall third-country risk assessment: ☐ Low ☐ Medium ☐ High

Section 4: Supplementary Measures

If risk is Medium or High, document supplementary measures implemented:

Conclusion: ☐ Transfer can proceed ☐ Transfer can proceed with supplementary measures ☐ Transfer must be suspended

Section 5: Sign-off

Completed by: _______________ Date: _______________ DPO review: _______________ Date: _______________

Automating TIA Completion with Unicis

Completing TIAs manually — one document per vendor, per transfer — is time-consuming and error-prone. Unicis provides a purpose-built Transfer Impact Assessment module that guides compliance teams through all five EDPB steps in a structured, auditable workflow.

Unicis TIA for Platform

• Five-step guided TIA workflow aligned to EDPB Recommendations 01/2020
• Pre-built templates for common transfer scenarios (US cloud providers, APAC transfers)
• Risk scoring for each assessment area
• Sign-off and approval workflow with audit trail
• Stores all TIAs in a searchable, version-controlled compliance record
• Links directly to your RoPA for cross-reference

Unicis TIA for Jira For teams already working in Atlassian Jira — run Transfer Impact Assessments as Jira issues without leaving your existing workflow. Available free for up to 10 users on the Atlassian Marketplace.

Common TIA Mistakes to Avoid

Relying on vendor-provided TIAs without review Many SaaS vendors provide pre-filled TIA documentation. You still need to review and sign off on it — the EDPB is clear that the controller bears responsibility for the assessment, even when assisted by the importer.

Not updating TIAs when laws change The US CLOUD Act, FISA Section 702 reauthorizations, and UK IPA amendments all affect existing TIAs. A TIA completed in 2021 may not reflect current risks. Build a review schedule into your compliance program.

Treating SCCs as sufficient without a TIA SCCs alone are not sufficient post-Schrems II. The CJEU ruled that SCCs require supplementary measures when the third country’s laws undermine their effectiveness. A TIA determines whether supplementary measures are needed.

Incomplete documentation Regulators have fined organizations for having incomplete or undated TIA documentation. Every field in your TIA should be completed with specific, verifiable information — not generic statements.

Key Takeaways

• A Transfer Impact Assessment is mandatory for any transfer using SCCs to a non-adequate country
• The TIA evaluates whether the third country’s laws undermine SCC protections
• Five steps: know your transfer → verify mechanism → assess third country → supplementary measures → document
• Review TIAs regularly — country assessments and laws change
• Use purpose-built tools to manage TIAs at scale — manual spreadsheets fail audits

Start managing Transfer Impact Assessments with Unicis → Free for up to 10 users. No credit card required.