INTERNATIONAL DATA TRANSFER IMPACT ASSESSMENT
Transfer Impact Assessment (TIA) pursuant to GDPR and Schrems II
OVERVIEW
This Transfer Impact Assessment (TIA) documents the evaluation of international data transfers to ensure compliance with GDPR Articles 44-49 and the requirements established by the Court of Justice of the European Union in the Schrems II judgment (C-311/18).
Assessment Date: [DATE]
Assessor: [NAME/TITLE]
Approved By: [NAME/TITLE]
Next Review Date: [DATE]
PART 1: TRANSFER DETAILS
1.1 Parties to the Transfer
Data Exporter:
| Field | Information |
|-------|-------------|
| Organization Name | [NAME] |
| Address | [ADDRESS] |
| Country | [EU/EEA MEMBER STATE] |
| Role | ☐ Controller ☐ Processor |
| Contact | [EMAIL/PHONE] |
| DPO | [NAME/EMAIL] |
Data Importer:
| Field | Information |
|-------|-------------|
| Organization Name | [NAME] |
| Address | [ADDRESS] |
| Country | [THIRD COUNTRY] |
| Role | ☐ Controller ☐ Processor ☐ Sub-processor |
| Contact | [EMAIL/PHONE] |
1.2 Transfer Description
| Element | Details |
|---|---|
| Purpose of Transfer | [DESCRIBE] |
| Categories of Data Subjects | [e.g., Customers, Employees, Website Users] |
| Categories of Personal Data | [LIST CATEGORIES] |
| Sensitive/Special Category Data | ☐ Yes ☐ No - If yes: [SPECIFY] |
| Frequency of Transfer | ☐ One-time ☐ Ongoing ☐ Periodic |
| Volume of Data | [APPROXIMATE VOLUME] |
| Onward Transfers | ☐ Yes ☐ No - If yes: [SPECIFY COUNTRIES] |
1.3 Transfer Mechanism (Article 46)
Primary Transfer Mechanism:
☐ Adequacy Decision (Article 45) - Country/Region: _____________
☐ Standard Contractual Clauses (Article 46(2)(c)) - Version:
☐ EU Commission SCCs (2021/914)
☐ UK International Data Transfer Agreement (IDTA)
☐ UK Addendum to EU SCCs
☐ Binding Corporate Rules (Article 46(2)(b))
☐ Codes of Conduct (Article 46(2)(e))
☐ Certification (Article 46(2)(f))
☐ Derogation (Article 49) - Basis: _____________
PART 2: ASSESSMENT OF THIRD COUNTRY LEGAL FRAMEWORK
2.1 Destination Country
Country: [NAME]
Relevant Legal Framework: [LIST KEY LAWS]
2.2 Assessment of Laws and Practices
2.2.1 Surveillance and Government Access Laws
| Question | Assessment |
|---|---|
| Does the country have laws permitting government access to personal data? | ☐ Yes ☐ No ☐ Unknown |
| If yes, identify the relevant laws | [LIST LAWS] |
| Do these laws apply to the data importer? | ☐ Yes ☐ No ☐ Potentially |
| Are there limitations on government access (necessity, proportionality)? | ☐ Yes ☐ No ☐ Limited |
| Is there independent oversight of government surveillance? | ☐ Yes ☐ No ☐ Limited |
| Are there effective legal remedies for data subjects? | ☐ Yes ☐ No ☐ Limited |
2.2.2 Specific Laws to Consider
For US Transfers:
☐ Section 702 of the Foreign Intelligence Surveillance Act (FISA)
- Does importer qualify as an "electronic communication service provider"? ☐ Yes ☐ No
☐ Executive Order 12333
☐ CLOUD Act
☐ USA PATRIOT Act
For Other Countries:
☐ [LIST RELEVANT SURVEILLANCE/ACCESS LAWS]
2.2.3 Assessment of Whether Laws Impinge on SCCs
| Factor | Assessment |
|---|---|
| Can the importer comply with SCC obligations? | ☐ Yes ☐ No ☐ Uncertain |
| Are there laws that contradict or override SCCs? | ☐ Yes ☐ No ☐ Potentially |
| Has the importer received government access requests? | ☐ Yes ☐ No ☐ Unknown |
| Frequency of requests (if known) | [NUMBER/PERIOD] |
2.3 Sources Consulted
☐ EDPB Recommendations 01/2020 and 02/2020
☐ EU Commission adequacy assessments
☐ National supervisory authority guidance
☐ Government transparency reports
☐ Legal opinions/analysis
☐ Data importer representations
☐ Other: _____________
PART 3: RISK ASSESSMENT
3.1 Likelihood of Government Access
| Factor | Assessment | Score (1-5) |
|---|---|---|
| Importer subject to surveillance laws | [ASSESSMENT] | [SCORE] |
| Importer's sector/industry risk | [ASSESSMENT] | [SCORE] |
| Type of data transferred | [ASSESSMENT] | [SCORE] |
| Volume of data | [ASSESSMENT] | [SCORE] |
| Historical access requests to importer | [ASSESSMENT] | [SCORE] |
| Overall Likelihood | [SCORE] |
Likelihood Rating:
☐ Low (1-2) ☐ Medium (3) ☐ High (4-5)
3.2 Impact on Data Subjects
| Factor | Assessment | Score (1-5) |
|---|---|---|
| Sensitivity of data | [ASSESSMENT] | [SCORE] |
| Volume of affected individuals | [ASSESSMENT] | [SCORE] |
| Vulnerability of data subjects | [ASSESSMENT] | [SCORE] |
| Potential consequences of access | [ASSESSMENT] | [SCORE] |
| Availability of remedies | [ASSESSMENT] | [SCORE] |
| Overall Impact | [SCORE] |
Impact Rating:
☐ Low (1-2) ☐ Medium (3) ☐ High (4-5)
3.3 Overall Risk Rating
| Likelihood / Impact | Low Impact | Medium Impact | High Impact |
|---|---|---|---|
| Low Likelihood | LOW | LOW | MEDIUM |
| Medium Likelihood | LOW | MEDIUM | HIGH |
| High Likelihood | MEDIUM | HIGH | HIGH |
Overall Risk Level: ☐ LOW ☐ MEDIUM ☐ HIGH
PART 4: SUPPLEMENTARY MEASURES
4.1 Technical Measures
| Measure | Implemented | Details |
|---|---|---|
| Encryption in transit (TLS 1.2+) | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| Encryption at rest (AES-256) | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| End-to-end encryption | ☐ Yes ☐ No ☐ N/A | [DETAILS] |
| Pseudonymization | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| Data minimization | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| Access controls | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| Key management (exporter controlled) | ☐ Yes ☐ No ☐ Planned | [DETAILS] |
| Multi-party processing | ☐ Yes ☐ No ☐ N/A | [DETAILS] |
4.2 Organizational Measures
| Measure | Implemented | Details |
|---|---|---|
| Strict purpose limitation | ☐ Yes ☐ No | [DETAILS] |
| Robust internal policies | ☐ Yes ☐ No | [DETAILS] |
| Transparency reports by importer | ☐ Yes ☐ No | [DETAILS] |
| Documentation of access requests | ☐ Yes ☐ No | [DETAILS] |
| Regular audits | ☐ Yes ☐ No | [DETAILS] |
| Staff training | ☐ Yes ☐ No | [DETAILS] |
4.3 Contractual Measures
| Measure | Implemented | Details |
|---|---|---|
| Standard Contractual Clauses | ☐ Yes ☐ No | Version: [SPECIFY] |
| Obligation to challenge unlawful requests | ☐ Yes ☐ No | SCC Clause 15.1 |
| Notification to exporter of requests | ☐ Yes ☐ No | SCC Clause 15.1 |
| Warrant canary provisions | ☐ Yes ☐ No | [DETAILS] |
| Prohibition on mass surveillance assistance | ☐ Yes ☐ No | [DETAILS] |
| Enhanced audit rights | ☐ Yes ☐ No | [DETAILS] |
4.4 Effectiveness Assessment
| Question | Assessment |
|---|---|
| Do supplementary measures effectively address identified risks? | ☐ Yes ☐ No ☐ Partially |
| Can the importer comply with SCCs despite local laws? | ☐ Yes ☐ No ☐ Uncertain |
| Is there residual risk that cannot be mitigated? | ☐ Yes ☐ No |
| If residual risk, is it acceptable? | ☐ Yes ☐ No ☐ N/A |
PART 5: DECISION AND CONCLUSION
5.1 Decision
Based on this assessment:
☐ PROCEED - The transfer may proceed with the identified transfer mechanism and supplementary measures
☐ PROCEED WITH CONDITIONS - The transfer may proceed subject to additional measures: [SPECIFY]
☐ DO NOT PROCEED - The transfer should not take place as adequate protection cannot be ensured
☐ SUSPEND/TERMINATE - An existing transfer should be suspended or terminated
5.2 Rationale
[PROVIDE DETAILED RATIONALE FOR DECISION]
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
5.3 Actions Required
| Action | Responsible Party | Deadline | Status |
|---|---|---|---|
| [ACTION 1] | [NAME] | [DATE] | ☐ Pending ☐ Complete |
| [ACTION 2] | [NAME] | [DATE] | ☐ Pending ☐ Complete |
| [ACTION 3] | [NAME] | [DATE] | ☐ Pending ☐ Complete |
PART 6: ONGOING MONITORING
6.1 Review Schedule
This assessment will be reviewed:
☐ Annually
☐ Upon material change in circumstances
☐ Upon change in third country laws
☐ Upon supervisory authority guidance
☐ Upon request by data subjects
Next Scheduled Review: [DATE]
6.2 Monitoring Activities
☐ Monitor legal developments in destination country
☐ Review importer transparency reports
☐ Monitor supervisory authority guidance
☐ Regular communication with importer
☐ Audit supplementary measures
PART 7: APPROVAL
7.1 Assessment Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| Assessor | [NAME] | _____________ | [DATE] |
| DPO Review | [NAME] | _____________ | [DATE] |
| Legal Review | [NAME] | _____________ | [DATE] |
| Management Approval | [NAME] | _____________ | [DATE] |
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial assessment |
ATTACHMENTS
☐ Standard Contractual Clauses (signed)
☐ Data Processing Agreement
☐ Technical security documentation
☐ Legal analysis of destination country laws
☐ Importer representations/warranties
☐ Audit reports
☐ Other: _____________
This assessment is provided for compliance with GDPR international transfer requirements. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026