Art.46.TIA GDPR

GDPR Art.46.TIA: Transfer Impact Assessment

What This Control Requires

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

In Plain Language

Before sending personal data to a third country using SCCs, BCRs, or any other Article 46 safeguard, you must assess whether the destination country's legal framework actually lets the importer honour those commitments. That assessment is the Transfer Impact Assessment. The CJEU mandated it in Schrems II, and the EDPB detailed the methodology in Recommendations 01/2020. The core question is practical, not theoretical: can the data importer comply with the transfer mechanism given local laws? Even perfectly executed SCCs are worthless if the destination country's surveillance laws let authorities access personal data in ways that violate EU fundamental rights. Your TIA needs to address the specific circumstances of each transfer, not just offer a general country overview. A solid TIA covers the destination country's surveillance and government access laws, whether those laws actually apply to your specific transfer, the existence of independent oversight and effective remedies, any practical experience with government access requests, and whether your chosen mechanism plus supplementary measures can close any protection gaps. If the answer is no, the transfer cannot go ahead.

How to Implement

Create a standardised TIA methodology and template following the EDPB's recommended steps: identify the transfer and its circumstances, identify the transfer mechanism, assess the third-country legal framework, evaluate the mechanism's effectiveness in that legal context, and determine whether supplementary measures are needed and can work. Start by documenting the transfer specifics. Record the exporter and importer identities, data categories and volumes, transfer purposes, data format (cleartext, encrypted, pseudonymised), the importer's sector, the technical transfer method, and whether onward transfers occur. Context matters enormously here - encrypted health data has a very different risk profile from basic contact details in cleartext. Assess the destination country's legal framework in depth. Zero in on government access laws covering intelligence surveillance, law enforcement, and national security - their scope, limitations, oversight mechanisms, and safeguards. Measure these against the EU essential guarantees: clear and precise rules, necessity and proportionality, independent oversight, and effective individual remedies. Draw on publicly available legal analyses, human rights reports, and EDPB guidance. Evaluate whether the data importer can actually comply with the transfer mechanism under those local laws. Can they fulfil their commitments around government access notifications, challenge obligations, and data protection standards? Get representations from the importer about their practical experience with government access requests and their realistic exposure to them. Where the TIA surfaces risks the mechanism alone cannot handle, identify supplementary measures and assess their effectiveness. Consider technical measures (encryption, pseudonymisation, split processing), organisational measures (access restrictions, transparency policies), and contractual measures (enhanced obligations). If no combination can ensure adequate protection, suspend the transfer. Document everything - the assessment, the reasoning, and the conclusion.

Evidence Your Auditor Will Request

TIA methodology and template documentation
Completed TIAs for all international transfers relying on Article 46 safeguards
Legal framework assessments for destination countries
Data importer representations regarding government access requests
Documentation of supplementary measures identified and implemented as a result of TIAs

Common Mistakes

No TIA conducted despite relying on SCCs or other Article 46 safeguards
TIA is generic and does not assess the specific circumstances of the transfer
Legal framework assessment is superficial and does not examine government access laws in detail
TIA identifies risks but no supplementary measures are implemented
TIA conducted once but never reviewed or updated when circumstances change

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related

Frequently Asked Questions

Is a TIA legally required?

Yes. Schrems II made it clear that anyone using Article 46 transfer mechanisms must assess, case by case, whether the destination country provides essentially equivalent protection. The EDPB turned this into detailed practical recommendations. Supervisory authorities now expect documented TIAs when they audit international transfers - not having one is a straightforward compliance failure.

Can we rely on the data importer's assessment of their own country's laws?

Their input is valuable, especially around practical experience with government access requests. But the responsibility sits with you as the exporter. Conduct your own independent assessment of the legal framework and use the importer's representations as one input among several. Outsourcing the assessment entirely to the importer does not discharge your obligation.

How often should we update our TIAs?

Review at least annually, and update whenever something relevant changes: new legislation or case law in the destination country, shifts in government access practices, fresh guidance from supervisory authorities or the EDPB, changes to the transfer itself (new data categories, purposes, or recipients), or significant events like the importer receiving government access requests. A TIA that sits untouched for years is almost as bad as having none.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment