TIA (Transfer Impact Assessment)
EDPB Recommendation 01/2020 — third-country risk assessment
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A Transfer Impact Assessment is the structured evaluation of whether personal data is effectively protected in the recipient country — required since CJEU C-311/18 (Schrems II) and detailed in EDPB Recommendation 01/2020.
What is a TIA (Transfer Impact Assessment)?
Minimum TIA steps:
- Describe the transfer
- Identify the transfer instrument (SCC, BCR)
- Assess effectiveness in the third country
- Identify supplementary measures
- Procedural steps
- Re-evaluation
Practical example
For Microsoft 365 with US sub-processors: the TIA documents the FISA 702 risk, encryption in transit and at rest, the Customer Lockbox feature, and the EU Data Boundary.
Frequently asked questions
Mandatory for every provider?
For third-country transfers, yes. Recommended for DPF-certified US providers.
Who performs the TIA?
The controller (you). The recipient must cooperate (Article 28 plus DPA).
How often must it be renewed?
Upon material changes and at least annually.