Transfer Impact Assessment Guide¶
A Transfer Impact Assessment (TIA) evaluates whether personal data can be legally transferred to a jurisdiction with different data protection standards. In the post-Schrems II regulatory environment, TIAs have become critical for organizations transferring data globally. They require documented analysis of adequacy decisions, Standard Contractual Clauses (SCCs), supplementary measures, and residual legal risks.
When you add processors in different jurisdictions to Dxtra, the AI engine automatically identifies international data transfers and generates TIAs that assess the legal adequacy of those transfers.
What a TIA Covers¶
A Transfer Impact Assessment evaluates:
- Transfer mechanism — Which legal mechanism authorizes the transfer (adequacy decision, SCCs, Binding Corporate Rules, other)
- Transfer test — Whether the destination jurisdiction's laws and practices provide adequate protection
- Supplementary measures — Additional technical or contractual safeguards that bridge protection gaps identified in the assessment
- Sub-processor locations — Where sub-processors are located and whether their locations require separate transfer assessments
- Regulatory context — Current adequacy decisions, Schrems II case law, and recent guidance from European Data Protection Board (EDPB)
The assessment documents your legal analysis and becomes evidence of your due diligence when challenging regulatory questions about international transfers arise.
Human review required
Dxtra's AI generates TIAs from your processor data and questionnaire inputs, but every assessment requires your review and approval. You must confirm the assessment accurately reflects your transfer mechanism and the destination jurisdiction's protection level.
How Dxtra Generates TIAs¶
When you add a processor located outside the EEA, Dxtra's AI engine identifies the transfer and generates a draft TIA by:
- Identifying transfer routes — Which data flows from your EEA operations to which non-EEA jurisdictions
- Assessing the destination — Analyzing the jurisdiction's legal framework, data protection laws, and government surveillance practices
- Evaluating transfer mechanisms — Checking current adequacy decisions (e.g., UK, Canada, Japan) or recommending SCCs if no adequacy decision exists
- Identifying supplementary measures — Suggesting technical controls (encryption, pseudonymization) or contractual safeguards (data deletion commitments, audit rights)
- Analyzing case law — Incorporating post-Schrems II guidance and EDPB opinions on transfer risk
The AI generates a draft assessment with your International Data Transfers table populated with transfer mechanisms and risk analysis. The assessment appears in your Assessments list with an "AI Generated" badge.
Understanding Transfer Mechanisms¶
Your transfer mechanism is the legal basis for moving personal data across borders. The current options are:
- Adequacy Decisions
- The EU Commission has formally decided that a destination country provides an adequate level of protection. Examples: UK, Canada, Japan, South Korea. You can transfer data freely without additional safeguards.
- Standard Contractual Clauses (SCCs)
- Pre-approved contract language that both controller and processor must include in their data processing agreement. SCCs create a contractual commitment to GDPR-equivalent protections. Most transfers to non-adequate countries use SCCs.
- Binding Corporate Rules (BCRs)
- If you have corporate subsidiaries in other countries, BCRs allow transfers within the corporate group under GDPR-approved rules.
- Derogations
- Limited exceptions under GDPR Articles 49(1)(a)–(f) for specific situations (explicit consent, contract necessity, vital interests). Derogations are not suitable for ongoing processing and require clear documentation.
SCCs are not enough
Since Schrems II, SCCs alone are not sufficient for transfers to countries with inadequate protection laws (especially the US). You must implement supplementary measures that make the level of protection adequate in practice.
The International Data Transfers Table¶
When you open the assessment, the editor shows the International Data Transfers section with a table showing:
| Transfer Mechanism | Destination | Transfer Test | Additional Safeguards |
|---|---|---|---|
| Standard Contractual Clauses (Module Two) | United States | Government surveillance laws (FISA, EO 12333) present legal risk; supplementary measures required | Encryption at rest and in transit; data deletion procedures; processor audit rights; limited data retention |
| Adequacy Decision | Canada | Canadian PIPEDA equivalent to GDPR; adequacy decision active | Standard DPA terms |
This table summarizes your assessment of each transfer route. Dxtra generates this based on your processor locations and the current regulatory landscape.
Review and edit each transfer route¶
For each row in the table:
- Transfer Mechanism — Confirm whether you're using Adequacy Decisions, SCCs, BCRs, or derogations
- Destination — Verify the correct country or countries where the processor is located
- Transfer Test — Review the assessment of legal adequacy; update if you have recent information about the jurisdiction's privacy laws
- Additional Safeguards — Document supplementary measures (encryption, data minimization, retention limits, audit rights)
If the processor uses sub-processors in additional countries, add rows for each transfer route.
Reviewing and Editing the TIA¶
Open the assessment in the editor to review the AI-generated content and make revisions:
- Left pane — WYSIWYG editor where you can modify sections and tables
- Right pane — Live preview of how the assessment appears when exported
- Tabs — WYSIWYG tab and Processors tab (links assessment to specific processors with international transfers)
Make edits in the editor¶
Click in the left pane to refine:
- Transfer mechanism selection (if you've negotiated new contract terms, update the mechanism)
- Transfer test analysis (add recent EDPB opinions or regulatory guidance)
- Supplementary measures (add technical controls you've implemented)
- Risk conclusion (update your assessment of residual legal risk)
Link processors to the assessment¶
Click the Processors tab to see which processors and data transfers are covered. The tab shows:
- Processor name and country of processing
- Which data is shared with the processor
- Current transfer mechanism (Adequacy Decision or SCC status)
- Subprocessor locations (if any)
If a processor no longer processes your data or has relocated, update or remove it from the assessment.
Regulatory Context and Current Adequacy Decisions¶
Post-Schrems II, the regulatory landscape for transfers has shifted significantly. Transfers to the US require SCCs plus supplementary measures (typically encryption, data minimization, and audit rights) because US surveillance laws may allow government access without equivalent GDPR protections.
Current adequacy decisions (April 2026)¶
- United Kingdom — Adequacy decision post-Brexit; transfers permitted
- Canada — Adequacy under PIPEDA; transfers permitted
- Japan — Adequacy under APPI; transfers permitted
- South Korea — Adequacy; transfers permitted
- Israel — Adequacy (under conditions); transfers permitted
- EU-US agreements — Data Privacy Framework (DPF) for US transfers; Standard Contractual Clauses required as fallback
Check EDPB guidance
Adequacy decisions and transfer mechanisms evolve. Before approving a TIA, consult the European Data Protection Board website for current guidance on high-risk jurisdictions (US, China, Russia, etc.).
Supplementary Measures in Practice¶
When SCCs are the only mechanism available (e.g., transfers to the US), you must implement supplementary measures. Common examples:
Technical measures: - End-to-end encryption so data is encrypted before transfer and decryption keys are not accessible to the processor - Pseudonymization or data masking - Tokenization of sensitive personal data
Contractual measures: - Commitment to data deletion or return after contract termination - Audit rights to verify processor compliance with GDPR - Liability provisions that hold the processor accountable for breaches - Restricted use clauses limiting how the processor can use personal data - Sub-processor approval rights and restrictions
Organizational measures: - Data minimization: Only transfer data actually needed for the processing purpose - Retention limits: Specify maximum retention periods shorter than normal - Access restrictions: Limit which employees of the processor can access personal data - Regular assessments: Re-assess transfer adequacy annually or when circumstances change
Approval Workflow and PDF Export¶
When you're satisfied with the TIA, approve it:
- Click Save and Approve at the bottom of the editor
- The assessment moves to LIVE status and is time-stamped
- The assessment becomes part of your compliance record
You can also export the assessment as a PDF:
- Click Export as PDF
- A PDF is generated with all sections, transfer analysis, and approval metadata
- Save or share the PDF for audit trails or regulatory inquiries
When to Reassess Transfers¶
Re-assess your TIAs when:
- New adequacy decisions — The EU Commission grants or revokes an adequacy decision (e.g., recent UK DPA withdrawal concerns, ongoing US negotiations)
- Schrems II rulings — The CJEU issues new guidance on transfer requirements (Schrems II was 2020; subsequent guidance may affect your assessment)
- New processors in new jurisdictions — You add a processor in a country you've never transferred to before
- Processor relocation — Your processor moves operations to a different country
- EDPB opinions — The European Data Protection Board issues guidance on supplementary measures or high-risk jurisdictions
- Contract changes — You renegotiate your DPA terms; confirm transfer mechanism and safeguards still hold
- Minimum annual review — Re-assess at least once per year as part of your governance calendar
Connecting TIA to Your Processor Network¶
Your TIA is part of your processor governance. Each processor that operates outside an adequate jurisdiction should have:
- A corresponding assessment in your Assessments list
- A signed Data Processing Agreement (DPA) with SCCs or other mechanism
- Documented supplementary measures in your TIA
- Confirmation in your processor inventory (Processors page) of their location and data access
For details on managing your processor inventory, see Processor Management.
Frequently Asked Questions¶
Are adequacy decisions permanent? No. The EU Commission reviews adequacy decisions periodically. For example, the UK adequacy decision has faced scrutiny due to data retention and government surveillance laws. Always check current EDPB guidance.
Can I use Binding Corporate Rules instead of SCCs? Yes, if you have corporate subsidiaries or related entities in the destination country. BCRs require EU approval and are more complex than SCCs, but they allow transfers within your corporate group.
What if a processor operates in multiple countries? Add a row in your International Data Transfers table for each country where the processor operates. If the processor uses sub-processors, include their locations as well.
How do I handle sub-processors? Identify each sub-processor's location and add a transfer row if they're outside adequate jurisdictions. Require your primary processor to implement the same SCCs and supplementary measures with their sub-processors. Audit this regularly.
What's the difference between a Transfer Impact Assessment and a DPIA? A DPIA assesses risk to individual rights and freedoms from your processing activities (automated decision-making, surveillance, etc.). A TIA assesses the legal adequacy of moving data across borders. You may need both for complex international processing.
When is a TIA required? Whenever you transfer personal data outside the EEA or to countries without adequacy decisions. Even intra-EU transfers may need assessment if the destination has weaker laws (unlikely within EU, but relevant for future accessions).
Related Guidance¶
Ready to start? Log into Dxtra and select New Assessment → Transfer Impact Assessment.