Transfer Impact Assessment

A Transfer Impact Assessment (TIA) is a documented analysis that European Union (and UK) data controllers and processors must conduct before transferring personal data to a country outside the European Economic Area that lacks an adequacy decision from the European Commission. The TIA evaluates whether the destination jurisdiction provides a level of personal data protection essentially equivalent to that guaranteed under GDPR, considering specific factors including the destination country’s laws on government access to data, the rights of data subjects, and any supplementary measures the data exporter and importer have agreed to implement. The requirement was created by the Court of Justice of the European Union’s 2020 Schrems II decision and refined by subsequent EDPB guidance.

A TIA is the practical companion document to the Standard Contractual Clauses (SCCs). The new (June 2021) SCCs require the parties to assess and document the risks of the specific transfer, with the TIA being the operational form that assessment takes. Without a documented TIA, the SCCs alone may not be sufficient legal basis for the transfer, and the exporter risks supervisory authority enforcement action. The TIA is required regardless of the volume or sensitivity of data transferred: every transfer of personal data to a non-adequate country triggers the obligation.

For international employers, the TIA sits at the centre of HR data compliance whenever employee personal data flows from EU/UK to non-EU countries: parent company headquarters, group-level HR systems (Workday, SAP SuccessFactors, BambooHR, Personio hosted outside the EEA), background check services, payroll providers, and benefits administrators. This guide covers what a TIA is, when it is required, the six-step assessment framework, supplementary measures, country-specific risk profiles, common compliance failures, and how the TIA differs from a DPIA. Source guidance includes the European Data Protection Board (EDPB), the UK ICO, and the CNIL.

A Transfer Impact Assessment is required whenever a controller or processor in the EU/UK transfers personal data to a country that lacks an adequacy decision from the European Commission. The assessment must be completed before the transfer begins and updated when material circumstances change (new sub-processor, new transfer route, change in destination country law).

The trigger is the legal jurisdiction of the data importer, not the physical location of servers. A transfer to a UK-based company that stores data on US-hosted cloud servers triggers a TIA for the UK-to-US sub-flow, not just the EU-to-UK flow. Cloud hosting arrangements with EU regions do not eliminate the TIA requirement if the cloud provider is owned or controlled by a non-adequate jurisdiction (the so-called “control test” applied by some Member State supervisory authorities, particularly the French CNIL).

Countries with adequacy decisions as of May 2026 do not require a TIA for transfers to them. The current adequacy list includes the United Kingdom (post-Brexit adequacy granted 2021), Switzerland, Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, the Republic of Korea, Uruguay, and the United States (under the EU-US Data Privacy Framework, in force since July 2023, with the caveat that participating organisations must self-certify and adequacy applies only to certified entities). All other destination countries require a TIA.

For HR data specifically, the most common TIA triggers are intra-group transfers to a non-EU parent for HR consolidation, transfers to non-EU SaaS HR providers, transfers to non-EU background check services, transfers to non-EU benefits administrators, and transfers to non-EU assignee tax and immigration processors. Each transfer route requires its own TIA documentation.

The European Data Protection Board’s Recommendations 01/2020 (final version published June 2021) established the six-step framework that has become the operational standard for TIA documentation. Each step must be completed, documented, and retained for supervisory authority review.

Steps 3 and 4 are where most TIA effort concentrates in practice. Step 3 requires a substantive legal analysis of the destination country’s framework, identifying specific statutes (such as FISA Section 702 and Executive Order 12333 in the US case) that affect government access to personal data. Step 4 requires identifying supplementary measures that address gaps identified in step 3: encryption, pseudonymisation, contractual commitments by the importer to challenge unlawful access requests, or organisational measures such as data-minimisation protocols.

Step 3 of the EDPB framework (assessing whether the destination country’s law undermines the transfer tool) varies materially by country. Some destinations require minimal supplementary measures because their legal framework is broadly compatible with EU data protection principles; others require extensive supplementary measures to bridge significant gaps. The table below summarises the operational risk profile for the most common HR-data destinations.

The United States case deserves particular attention because it is the most common HR-data destination for global multinationals. The 2023 EU-US Data Privacy Framework provides an adequacy pathway, but it applies only to organisations that have self-certified under the framework. Before relying on the DPF, controllers should verify the importer’s current DPF certification status (which is publicly searchable on the US Department of Commerce DPF list) and document the verification. The DPF adequacy is also subject to ongoing legal challenge, so transfers should continue to maintain SCC + TIA as a fall-back legal basis.

Supplementary measures are the practical instruments that address the gaps identified in step 3 of the EDPB framework. The EDPB recommends three categories: technical measures, contractual measures, and organisational measures. The right combination depends on the data category, the transfer purpose, and the specific destination country risks.

Technical measures are the most operationally significant. Strong encryption with keys held exclusively in the EU is the EDPB’s strongest recommendation, because it can render the data unintelligible to government access in the destination country. Pseudonymisation (replacing identifying data with reversible identifiers held in the EU) is the second most effective technical measure. Split processing, where only non-identifying portions of records are transferred outside the EU, can also work.

Contractual measures include the importer’s commitments to: (a) provide transparency reports on government access requests received; (b) challenge legally questionable access requests through available judicial channels; (c) notify the exporter of any government access request (subject to local law constraints); (d) limit retention to the minimum necessary; and (e) submit to audits by the exporter or independent third parties. Contractual measures alone are rarely sufficient where step 3 found significant government access risk, but they strengthen the overall position.

Organisational measures include internal policies on minimisation of transferred data, training for staff handling cross-border transfers, regular audit and review cycles, and clear escalation procedures for handling government access requests. Organisational measures support the other categories but cannot substitute for them.

For HR data specifically, the typical supplementary measures stack is: technical encryption with EU-held keys for all transferred employee files; contractual transparency commitments from the importer; pseudonymisation of identifying fields where the importer’s processing purpose can be served without them; minimisation of transferred fields to the operational necessity; and annual review of the arrangement.

The Transfer Impact Assessment is operationally similar to the Data Protection Impact Assessment (DPIA) but legally distinct. The two documents address different requirements and should not be conflated, though they frequently overlap in practice.

A single processing activity can require both a TIA and a DPIA. A new global HR system rollout that transfers EU employee data to a US-headquartered cloud platform typically requires: a DPIA assessing the processing activity’s impact on employee rights, and a TIA assessing the specific EU-to-US transfer route. The two documents inform each other but are not interchangeable, and supervisory authority audits will look for both where both are required.

Several common TIA compliance failures recur across international employers. Each can result in supervisory authority enforcement action, suspension of the transfer, or in serious cases material fines under GDPR Article 83(5) (up to €20M or 4 percent of global revenue).

1. Using generic boilerplate without country-specific analysis. The most common failure. Supervisory authorities expect specific statutory references in the destination country (FISA Section 702 in the US, National Intelligence Law in China, IT Act provisions in India). Generic templates without this specificity rarely survive scrutiny.

2. Relying on the SCCs alone without a TIA. The Schrems II decision specifically held that SCCs are not by themselves sufficient where the destination country law undermines them. A TIA is required to document why the SCCs are effective for the specific transfer route.

3. Assuming the EU-US Data Privacy Framework eliminates the TIA requirement entirely. The DPF provides adequacy for transfers to certified US organisations, eliminating the need for SCCs and TIA for those transfers. But the importer must be currently certified, and the certification must cover the specific data categories. Many US importers are not DPF-certified, in which case the SCC + TIA combination is still required.

4. Treating the TIA as a one-time document. Step 6 of the EDPB framework requires periodic reassessment. Destination country law changes (new surveillance legislation, changes in adequacy status, new EDPB guidance) trigger TIA updates. Annual review at minimum is the operational best practice.

5. Forgetting transfers via sub-processors. The TIA must cover the full transfer chain, not just the first hop. If the EU exporter sends data to a UK importer who then routes to a US sub-processor, both the EU-to-UK and UK-to-US flows require TIA documentation (the UK-to-US assessment falls on the UK importer but the EU exporter remains responsible for ensuring the chain is documented).

6. Inadequate supplementary measures relative to identified risks. Where step 3 identifies significant government access risk in the destination, technical measures (encryption with EU-held keys, pseudonymisation) are typically required. Contractual commitments alone, while useful, rarely meet the EDPB’s effectiveness threshold for high-risk destinations.

7. Missing the TIA documentation entirely. Some controllers complete the substantive analysis but fail to document it in retrievable form. The TIA must be a written document that the supervisory authority can review on request. Verbal or undocumented analysis does not meet the EDPB requirement.

The Transfer Impact Assessment sits within a broader set of GDPR cross-border data transfer concepts. Understanding the relationships helps controllers structure compliant transfer arrangements.

Standard Contractual Clauses (SCCs) are the contractual mechanism authorising the transfer under GDPR Article 46. The TIA is the documented assessment that supports the use of SCCs for the specific transfer route. The June 2021 SCCs are the current required version.

Schrems II is the July 2020 Court of Justice of the European Union decision (Case C-311/18) that invalidated the EU-US Privacy Shield and established the requirement for a substantive assessment of destination country protections. The TIA is the operational form of the Schrems II assessment.

Binding Corporate Rules (BCRs) are an alternative Article 46 transfer mechanism for intra-group transfers across a multinational. BCRs require supervisory authority approval but provide a single mechanism covering all group entities. The TIA requirement applies to BCR-based transfers as well as SCC-based transfers.

EU-US Data Privacy Framework (DPF) is the 2023 adequacy mechanism for transfers to participating US organisations. The DPF eliminates the need for SCCs and TIA for transfers to DPF-certified importers, but only for the specific certified categories and only while the importer maintains certification.

Adequacy Decision is the European Commission’s formal determination that a non-EU country provides essentially equivalent data protection. Adequacy eliminates the TIA requirement for transfers to the listed country. As of May 2026 the adequacy list includes the UK, Switzerland, Japan, South Korea, and several others.

Information in this glossary entry is current as of May 2026 and reflects the EU General Data Protection Regulation (Regulation 2016/679), the Court of Justice of the European Union decision in Case C-311/18 (Schrems II), the European Data Protection Board’s Recommendations 01/2020 on supplementary measures, the June 2021 Standard Contractual Clauses, the July 2023 EU-US Data Privacy Framework adequacy decision, the UK GDPR, UK ICO guidance on transfer risk assessments, and other relevant supervisory authority guidance. Frameworks evolve continuously and adequacy decisions remain subject to legal challenge. This guide is for informational purposes only and does not constitute legal or compliance advice. International data controllers should engage qualified EU privacy counsel for jurisdiction-specific TIA design and supervisory authority correspondence.