performing-transfer-impact-assessment
Performing Transfer Impact Assessment
Overview
Following the Court of Justice of the European Union (CJEU) judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18, 16 July 2020) — commonly known as Schrems II — controllers and processors transferring personal data outside the EEA must assess whether the legal framework of the destination country provides an essentially equivalent level of protection to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. This assessment is known as a Transfer Impact Assessment (TIA). The European Data Protection Board adopted Recommendations 01/2020 on 18 June 2021, establishing a six-step process for conducting TIAs.
Legal Foundation
CJEU C-311/18 Key Holdings
- Privacy Shield invalidated: The EU-US Privacy Shield framework was declared invalid due to US surveillance programmes (Section 702 FISA, EO 12333) enabling mass access to personal data transferred from the EU, with insufficient remedies for EU data subjects.
- Standard Contractual Clauses remain valid in principle: The SCCs decision (2010/87/EU, now replaced by Commission Implementing Decision 2021/914) was upheld but subject to the requirement that data exporters verify the clauses can be complied with in practice in the destination country.
- Case-by-case assessment required: Controllers cannot rely on SCCs mechanically; they must assess the destination country's legal framework and, where necessary, implement supplementary measures to ensure essentially equivalent protection.
- Supervisory authority intervention: Supervisory authorities are required to suspend or prohibit transfers where essentially equivalent protection cannot be ensured.
EDPB Recommendations 01/2020 — Six-Step Process
The EDPB established a structured methodology for evaluating whether transfers can proceed: