The 2021 Standard Contractual Clauses replaced the previous SCCs that had been in use since the early 2000s. The new module-based structure received widespread attention when they were released. What received less attention was the accompanying obligation that had always existed but was now explicitly stated in the EDPB's guidelines: before executing SCCs for any data transfer to a third country, you must conduct a Transfer Impact Assessment.
What a Transfer Impact Assessment is
A Transfer Impact Assessment (TIA) is a documented analysis that determines whether the protection provided by the SCCs can actually be maintained in the destination country — or whether the legal framework in that country undermines the protections the SCCs are supposed to provide.
The Schrems II judgment (July 2020) established the principle. The Court of Justice found that the previous adequacy decision for the US (Privacy Shield) was invalid because US surveillance law allowed bulk access to data in ways that were incompatible with EU fundamental rights. In doing so, it made clear that SCCs are not self-sufficient — they work only if the laws of the third country do not prevent the data importer from honouring them.
A TIA is the mechanism for verifying this. It is required for every transfer to every non-adequate third country, for every new SCC you sign.
What a TIA must cover
The EDPB's Recommendations 01/2020 on measures that supplement transfer tools describe the minimum content of a TIA:
- The nature of the data being transferred (sensitivity, categories, volume).
- The purpose of the transfer and the nature of the processing in the destination country.
- Whether the third country's legislation affects the data importer's ability to honour the SCC obligations — specifically: whether there are laws authorising government access to the data, whether those laws are accessible and foreseeable, whether there are independent oversight mechanisms, and whether data subjects have effective redress.
- The practical experience of the data importer in the relevant jurisdiction (have they received government access requests?).
- Whether supplementary measures (encryption, pseudonymisation, access controls) are needed to fill any gaps in protection.
The US problem and the EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to certified US organisations. If your US vendor is DPF-certified, you do not need SCCs for transfers to that entity — you can rely on the adequacy decision.
However, the DPF has already been challenged before the CJEU (Schrems III, pending). Many data protection advisers recommend maintaining SCCs alongside DPF reliance as a precautionary measure. The DPF has a history of being invalidated, and a company that relied solely on Privacy Shield in 2020 was left without a transfer mechanism overnight.
The mistakes companies make
- Treating SCCs as self-executing: A signed SCC does not make a transfer lawful on its own. Without a TIA, the transfer is non-compliant regardless of whether the SCC was signed.
- One TIA per vendor, not per country: If a vendor operates in multiple countries (a global SaaS company with data centres in the US, India, and Brazil), you need a TIA for each jurisdiction where your data will be processed or accessible.
- Not keeping records: TIAs must be documented and retained. If your DPA asks to see the legal basis for your US SaaS vendor transfers, "we signed the SCCs" is not a sufficient answer.
- Treating completed TIAs as permanent: A TIA is valid at the point in time it was conducted. If the legal framework in the destination country changes — new surveillance legislation, a court ruling, a government access program — the TIA needs to be reviewed.
Cross-border data transfers are one of the most technically complex areas of GDPR compliance. They are also one of the most actively enforced — the Meta Ireland fine of €1.2 billion was for unlawful data transfers to the US under the previous framework. Getting the mechanics right matters.