← All guides
GDPR9 min read20 May 2026

GDPR Transfer Impact Assessment (TIA): A Practical Guide for SaaS Founders

What is a Transfer Impact Assessment under GDPR? When do you need one, what must it cover, and how do you conduct one for a SaaS company relying on US cloud providers and AI APIs?

What is a Transfer Impact Assessment (TIA)?

A Transfer Impact Assessment (TIA) — sometimes called a Transfer Risk Assessment (TRA) in the UK — is a documented analysis you must complete before transferring personal data from the EU/EEA to a third country (i.e., a country outside the EU that does not have an adequacy decision) using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

The legal requirement comes from the CJEU's Schrems II judgment (C-311/18, July 2020), which invalidated the EU-US Privacy Shield and placed a new obligation on data exporters: you must verify, before the transfer, that the SCCs can actually be complied with in the destination country, given local law and practice.

The European Data Protection Board (EDPB) formalised this in its Recommendations 01/2020 on transfers of personal data to third countries (updated June 2021), setting out a six-step roadmap for conducting a TIA.

When do you need a TIA?

You need a TIA whenever you:

  • Use SCCs as the transfer mechanism to a non-adequate third country (the most common scenario — typically transfers to the US, India, or other non-adequate countries)
  • Use Binding Corporate Rules (BCRs) for intra-group transfers to non-adequate countries
  • Transfer data under derogations under Art. 49 GDPR (explicit consent or contractual necessity)

You do not need a TIA for transfers to countries with EU adequacy decisions — including the US (under the EU-US Data Privacy Framework, adopted July 2023), UK (UK adequacy decision), Canada (commercial sector), Japan, Israel, Argentina, and others. Check the European Commission's current list of adequate countries before assuming you need a TIA.

The Schrems II context: why TIAs exist

The CJEU in Schrems II held that SCCs alone are not sufficient — the controller must assess whether the third country's law and practice undermines the guarantees in the SCCs. The key concern was US intelligence law: Section 702 FISA (targeted collection) and Executive Order 12333 (bulk collection) give US authorities broad access to data held by US companies.

While the EU-US Data Privacy Framework (DPF) — which replaced Privacy Shield — now covers many US transfers (and has itself been challenged), companies relying on SCCs for non-DPF entities or for transfers to other countries still need TIAs.

The EDPB six-step TIA roadmap

Step 1: Know your transfers

Map all personal data transfers to third countries. This includes direct transfers (your app to a US database) and onward transfers through sub-processors (your app → Sentry → Sentry's US servers; your app → OpenAI API). Your Sub-Processor List is the starting point for this mapping.

Key questions:

  • What categories of personal data are transferred?
  • To which countries?
  • For what purpose?
  • Which transfer mechanism applies?

Step 2: Identify the transfer tool

Confirm your legal basis for the transfer:

  • Adequacy decision (Art. 45) — no TIA needed
  • Standard Contractual Clauses (Art. 46(2)(c)/(d)) — TIA required
  • Binding Corporate Rules (Art. 47) — TIA required
  • Derogations (Art. 49) — limited use; TIA recommended

For most SaaS companies, SCCs are the primary mechanism for transfers to non-adequate countries. The 2021 SCCs (replacing the 2010 versions) include a built-in obligation to conduct a TIA (Clause 14 of the 2021 SCCs).

Step 3: Assess the third country's law and practice

This is the substance of the TIA. For the destination country, evaluate:

  • Surveillance laws — Does the country have laws that could compel the data importer to disclose personal data to government authorities?
  • Rule of law and judicial remedies — Are there effective legal remedies for data subjects if their rights are violated?
  • Practical experience — Has the data importer actually been subject to government data requests in this context?

For common SaaS destinations:

CountryKey Surveillance LawsAdequacy?TIA Needed?
United States (DPF certified)FISA 702, EO 12333✅ Yes (for DPF members)No (for DPF)
United States (non-DPF)FISA 702, EO 12333❌ NoYes (SCCs)
IndiaITA 2000, CERT-In rules❌ NoYes (SCCs)
ChinaPIPL, Cybersecurity Law, NIS Law❌ NoYes — high risk
BrazilLGPD, no adequacy yet❌ NoYes (SCCs)
AustraliaTOLA Act, IPA 2016❌ NoYes (SCCs)

Step 4: Adopt supplementary measures if needed

If Step 3 reveals the SCCs cannot be fully complied with, you must implement supplementary measures to bring protection up to EU standards. The EDPB identifies three categories:

  • Technical measures — end-to-end encryption (where the data importer cannot access plaintext data), pseudonymisation before transfer, split processing across multiple jurisdictions, zero-knowledge architectures
  • Contractual measures — enhanced transparency obligations, obligations to challenge government orders, notification of legal process (where legally permitted), data minimisation
  • Organisational measures — internal policies limiting data retention in third countries, staff training on government access requests, publishing transparency reports

Important: the EDPB is clear that if the data is accessible in plaintext in the third country (i.e., the data importer needs to process it), technical measures alone cannot overcome surveillance law that gives government access to plaintext data. In that case, you may need to reconsider the transfer entirely.

Step 5: Take formal procedural steps

If supplementary measures are sufficient: proceed with the transfer, execute the SCCs, implement the supplementary measures, and document everything.

If supplementary measures are insufficient: you must suspend or end the transfer, or seek authorisation from your supervisory authority (Art. 46(3)).

Step 6: Re-evaluate periodically

TIAs are not one-and-done. Review your TIAs when:

  • The third country's law changes materially
  • You add new categories of personal data to the transfer
  • The data importer changes their processing activities or sub-processors
  • A court strikes down an adequacy decision (as happened with Privacy Shield)
  • Your DPA, SCCs, or transfer mechanism is updated

Annual TIA reviews are considered best practice.

Practical TIA for common SaaS transfers

AWS / GCP / Azure (EU region, DPF certified)

If you use an EU region and rely on the EU-US DPF for the transfer mechanism: no TIA needed. The adequacy decision covers the transfer. Verify your cloud provider is on the DPF list at dataprivacyframework.gov.

If you use a US region with SCCs (non-DPF): a TIA is required. Document that AWS/GCP/Azure is FISA 702 subject but has challenged orders, published transparency reports, and implemented encryption at rest and in transit as supplementary measures.

OpenAI / Anthropic / AI APIs

AI APIs are one of the most complex transfer scenarios in 2026. Key issues:

  • Are you sending personal data in prompts? (If so, this is a transfer to the US — OpenAI is a sub-processor)
  • OpenAI is on the EU-US DPF: no TIA needed if you rely on DPF
  • If OpenAI is not your DPF transfer mechanism (e.g., you rely on SCCs via their DPA): TIA needed
  • Anthropic: check current DPF certification status; use SCCs + TIA if uncertain

Best practice: minimise personal data in AI prompts; pseudonymise where possible; execute the AI provider's DPA.

Sentry (error tracking)

Sentry can capture personal data in error messages, stack traces, and request data. Sentry is headquartered in the US. They offer EU hosting (Frankfurt) and are on the DPF list. Use EU hosting + DPF: no TIA needed. Use US hosting with SCCs: TIA required.

What to document in your TIA

Keep TIA records as part of your GDPR Article 30 Records of Processing Activities (RoPA). For each transfer, document:

  • Transfer identification: controller, processor, data categories, transfer mechanism, destination country
  • Legal basis for transfer (SCCs, BCRs, adequacy, derogation)
  • Assessment of third country law: relevant surveillance laws identified; sources used
  • Conclusion: whether SCCs can be complied with; if yes, on what basis; if supplementary measures adopted, what they are
  • Date of assessment; next review date; who conducted it

TIA tools and templates

Use ComplyKit's generators to build the document foundation your TIA references:

  • GDPR DPA Generator — your DPA with processors should reference the TIA and SCCs; Clause 14 of the 2021 SCCs requires a TIA
  • Sub-Processor List Generator — starting point for mapping all transfers and their mechanisms
  • Privacy Policy Generator — must disclose international transfers and mechanisms to data subjects
  • DPIA Generator — high-risk transfers (e.g., bulk transfer of sensitive data to non-adequate country) may trigger a mandatory DPIA under Art. 35

For more on GDPR international transfers, see our guides on what is a DPA under GDPR and what is a sub-processor.

More guides