What is a Transfer Impact Assessment?

A TIA is the documented risk assessment the Schrems II ruling and the EDPB require before you rely on Standard Contractual Clauses to send personal data outside the EEA. It checks whether the destination country's laws undermine the SCC protections and, if so, what extra measures restore an essentially equivalent level of protection.

When do I not need a TIA?

If the destination has an EU adequacy decision — such as the UK, Switzerland, Japan, or the US under the Data Privacy Framework for certified importers — the transfer is treated like an intra-EEA transfer and no SCCs or TIA are required. The tool detects adequacy and tells you when you can stop.

What are supplementary measures?

They are the technical, contractual and organisational controls the EDPB recommends adding on top of SCCs when local law poses a risk. The strongest is technical: end-to-end or strong at-rest encryption where the importer never holds the keys, which can make surveillance access ineffective even if a government demands the data.

Does this replace legal advice?

No. The tool gives a structured, repeatable first-pass scorecard so legal counsel can focus on the genuinely high-risk transfers. The final assessment and the decision to proceed should always be reviewed by a qualified data protection lawyer or your DPO.

Is anything I enter sent to a server?

No. The country, data type and encryption answers are evaluated entirely in your browser. Nothing about your transfers is uploaded, which is exactly what you want when assessing sensitive cross-border data flows.

SCC Transfer Impact Assessment Tool

An SCC Transfer Impact Assessment tool that turns the Schrems II obligation into a repeatable scorecard. After Schrems II struck down Privacy Shield, you can no longer rely on Standard Contractual Clauses alone: you must assess whether the destination country’s surveillance laws undermine those clauses and, if they do, add supplementary measures. This tool walks you through the EDPB’s six-step methodology and returns a risk band plus the concrete measures to apply, for legal counsel and international data-transfer teams.

How it works

The assessment follows the EDPB Recommendations 01/2020 on supplementary measures:

Step 1  Know your transfer (destination, data, importer)
Step 2  Identify the transfer tool (here: SCCs)
Step 3  Assess local law and practice (surveillance, rule of law)
Step 4  Identify and adopt supplementary measures
Step 5  Take procedural steps to implement them
Step 6  Re-evaluate at intervals

The tool encodes Step 1 and Step 3. First it checks the destination against the list of countries with an EU adequacy decision (UK, Switzerland, Japan, South Korea, Canada-commercial, New Zealand, and others); if adequate, the transfer needs no SCCs and the assessment ends. Otherwise it scores three risk inputs: the rule-of-law / surveillance exposure of the country, the sensitivity of the data, and whether strong encryption removes the importer’s ability to read plaintext.

Reading the score and measures

The three inputs combine into a low, medium or high band. The decisive factor, per the EDPB, is whether a technical measure — encryption where the importer never holds the keys, or pseudonymisation that cannot be reversed at the destination — makes any government access ineffective. When that is in place, even a high-surveillance destination can drop to acceptable risk. When it is not, the tool recommends layering technical, contractual (transparency, audit, challenge obligations) and organisational measures, and warns when the residual risk means the transfer should not proceed without legal sign-off.

This is guidance, not legal advice, and everything is computed locally — no transfer details ever leave your browser.