What’s Covered?
The guide is a step-by-step methodology for EU-based data exporters—controllers or processors—who transfer personal data to countries outside the EEA using a transfer mechanism under Article 46 GDPR (e.g., Standard Contractual Clauses, BCRs). It clarifies when and how to perform a TIA, including the exact points to check before and during the process.
Pre-TIA phase covers:
- Whether the action even qualifies as a “transfer” under Chapter V.
- Whether a TIA is needed (based on transfer tools or adequacy decisions).
- Who’s responsible (typically the exporter, possibly jointly with the importer).
- Whether onward transfers are in scope.
- General GDPR compliance beyond transfer-specific concerns.
The six-step TIA process includes:
- Know your transfer – identify what data is being sent, to whom, by whom, and under what context.
- Identify the transfer tool – typically SCCs or another Article 46 mechanism.
- Assess third-country laws and practices – based on both written law and actual practices (e.g., surveillance, access requests).
- Identify and adopt supplementary measures – technical (e.g., encryption), contractual, or organisational.
- Implement those measures – includes a model action plan and documentation strategy.
- Re-evaluate periodically – accounting for legal changes, new risks, or revised data uses.
CNIL’s guide is clear that the process must be context-specific. It doesn’t prescribe which countries are “safe” or offer ready-made conclusions about legal adequacy. Instead, it links back to the EDPB’s Recommendations 01/2020 and shows how to build evidence-based judgments under Schrems II obligations.
💡 Why it matters?
EU-based companies can no longer outsource responsibility for international data transfers. This guide equips privacy teams with a reliable way to map out risks, measure gaps in protection, and apply supplementary safeguards with confidence. It’s one of the few tools that translates post-Schrems II theory into operational practice—especially critical for small and mid-sized exporters without a global legal team.
What’s Missing?
The guide doesn’t include actual country assessments or a list of problematic jurisdictions. Exporters are left to do their own due diligence. There’s also limited direction on how to weigh different factors—like whether state access risks outweigh technical mitigations. You won’t find a risk calculator or threshold matrix to help make the call.
Another missing piece: examples of successful TIAs or anonymized case studies. For teams doing this for the first time, sample documents or model TIA reports would go a long way in demystifying the process.
And while there’s strong alignment with EDPB guidance, the practical support for handling hybrid situations (e.g., transfers via sub-processors or multiple jurisdictions) could be stronger.
Best For:
- DPOs or privacy teams at companies exporting data outside the EEA
- Legal advisors supporting SCC-based transfers post-Schrems II
- Cloud service customers evaluating third-country storage or access
- SMEs seeking a structured path through GDPR’s Chapter V requirements
Source Details:
Full Title: Transfer Impact Assessment – Practical Guide (Final Version)
Publisher: CNIL (Commission Nationale de l’Informatique et des Libertés)
Date: January 2025
Context: Built around the EDPB’s Recommendations 01/2020 (v2.0), the guide reflects the heightened post-Schrems II obligations on data exporters relying on Article 46 transfer tools. CNIL positions this as a non-binding but strongly recommended methodology for compliance.
🛠️ Key References:
- GDPR Chapter V
- EDPB Recommendations 01/2020 (v2.0)
- Schrems II (CJEU C-311/18)
- EDPB Guidelines 05/2021 on international transfers
👁️ Note: The guide explicitly states it doesn’t cover adequacy decisions or Article 49 derogations, and is not required for transfers to countries covered by adequacy.
