Loading…
The CJEU's 16 July 2020 judgment in Schrems II invalidated the EU-US Privacy Shield and made clear that Standard Contractual Clauses, while still valid in principle, cannot be relied on if the law of the destination country undermines the protection they provide. Controllers and processors must conduct a Transfer Impact Assessment (TIA) for each transfer.
The EDPB's Recommendations 01/2020 set out a six-step methodology. Done well, a TIA documents the transfer, the legal regime in the destination country, supplementary measures applied, and your conclusion — defensible at audit. Done poorly, it's a checkbox exercise that crumbles under enforcement.
The 2023 EU-US Data Privacy Framework (DPF) restored adequacy for transfers to certified US importers. But it doesn't cover all transfers, can be re-challenged (Schrems III is filed), and most non-US transfers still rely on SCCs requiring a TIA.
The case (C-311/18) struck down Privacy Shield and put SCC users on notice. The CJEU held that:
Practically: SCCs alone are not enough. The TIA is the documentary evidence that you've done the work.
You can't TIA what you don't know about. Inventory:
Use your Article 30 ROPA as a starting point but verify against actual infrastructure. Cloud providers often replicate or fail-over to non-EEA regions by default — this counts as a transfer.
The heart of the TIA. For each destination country, assess:
EDPB Recommendation 02/2020 sets out the "essential guarantees" framework. For US transfers, FISA Section 702 and Executive Order 12333 are the key concern. For non-US: assess the country's laws specifically — many TIAs default to a generic "adequate" for low-risk countries without examination, which is exactly what regulators flag.
Three categories. Apply each in combination:
Triggers for re-evaluation:
On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). For transfers to US-based companies that have certified to the DPF, the legal effect mirrors a full adequacy decision — no SCCs, no TIA required for the DPF-certified transfer.
Practical advice: where your US importer is DPF-certified, rely on DPF adequacy for that transfer but keep SCCs executed in the background and run TIAs anyway as future-proofing.
Per "transfer scenario" — typically per destination country + per importer. You can group transfers to the same importer involving similar data into one TIA. The country-law analysis is reusable across transfers to the same country.
No — the EDPB has clarified (Guidelines 05/2021) that transfers under Article 3(2) extraterritorial scope still require Chapter V transfer-mechanism compliance. Don't use Article 3 as an escape route.
Legally yes, but a transfer of strongly-encrypted data where the importer has no decrypted access is a textbook supplementary measure. Many TIAs conclude the transfer can proceed precisely on this basis.
Important data point, but not dispositive. EDPB has been clear: subjective practice cannot substitute for legal-regime equivalence. Document the historical zero-request record as supporting evidence, but don't rest the TIA on it.
Yes — that's the explicit EDPB Step 6 conclusion. In practice many controllers also (or instead) notify their Supervisory Authority as required by SCC Clause 14(f). Document the decision rigorously.
We'll build TIAs for your transfer scenarios — SCC modules executed, supplementary measures specified, country-law analysis cited. Audit-ready in 2–4 weeks per scenario.