Certified Information Privacy Professional (CIPP): EU - Transfer Impact Assessments, TIA, and Supplementary Measures

CIPP/E – Transfer Impact Assessments (TIA) & Supplementary Measures
Your go?to cheat sheet for the exam and the boardroom.

What This Is

A Transfer Impact Assessment (TIA) is a systematic analysis required under the GDPR when personal data is moved from the EU/EEA to a third country that does not have an EU adequacy decision. The TIA evaluates whether the destination’s legal environment (e.g., U.S. surveillance laws) can undermine the protection guaranteed by the EU?standard contractual clauses (SCCs) or other transfer tools. Supplementary measures are the extra technical, contractual or organisational safeguards you put in place to “bridge the gap” identified by the TIA.

Real?world example: A German?based tech firm wants to host its employee?HR database on a U.S. cloud provider. Because the U.S. does not have an EU adequacy decision, the firm must (1) run a TIA to see if U.S. government?access laws could erode the SCC?based protection, and (2) add supplementary measures—e.g., end?to?end encryption with keys held only in the EU, strict access?logging, and a “no?law?enforcement?request” clause in the cloud contract.

Key Terms & Provisions

• Transfer Impact Assessment (TIA): A risk?based review (GDPR Art.?46?&?49) of the legal, practical, and technical environment of the destination country to determine whether the transferred data will enjoy a level of protection essentially equivalent to that required in the EU.
• Supplementary Measures: Additional safeguards (technical, contractual, organisational) that compensate for any shortfall identified in the TIA. They must be effective, enforceable, and proportionate (GDPR Recital?108).
• Standard Contractual Clauses (SCCs): Model clauses approved by the European Commission (Art.?46) that create contractual obligations for the exporter and importer to protect EU data. Post?Schrems?II, SCCs are not sufficient on their own without a TIA.
• Adequacy Decision: A Commission finding that a third country provides an “essentially equivalent” level of data protection (e.g., Canada?PIPEDA, Japan’s DPPA). When present, no TIA is required.
• Binding Corporate Rules (BCRs): Internal data?transfer mechanisms approved by EU data?protection authorities (DPAs) that allow intra?group transfers. BCRs also require a TIA when the destination is a non?adequate country.
• Article?32 – Security of Processing: Sets the baseline for technical and organisational measures (e.g., encryption, pseudonymisation) that often become the core of supplementary measures.
• Article?35 – DPIA: A DPIA may be required before a TIA if the transfer is part of a high?risk processing activity (e.g., large?scale profiling).
• Schrems?II (C?311/18): The 2020 Court of Justice of the EU (CJEU) decision that invalidated the EU?U.S. Privacy Shield and clarified that SCCs must be accompanied by a TIA and effective supplementary measures.
• “Essentially Equivalent” Standard: The EU’s benchmark for third?country protection; it is a factual, not a formal, test—meaning you compare the destination’s law to the GDPR’s core principles (lawfulness, purpose limitation, data minimisation, etc.).
• Data Subject Rights (Art.?20?22): Even after a transfer, EU data subjects retain rights to access, rectification, erasure, restriction, and portability; supplementary measures must not impede these rights.

Step?by?Step Process Flow

1. Identify the Transfer – Document the data categories, volume, purpose, and the third?country recipient (e.g., “HR employee data-U.S. payroll processor”).
2. Check for an Adequacy Decision or Approved Mechanism – If an EU adequacy decision or approved BCR/SCC exists, move to step?5; otherwise, you must conduct a TIA.
3. Conduct the TIA
4. Legal Scan: Map the destination country’s surveillance, data?retention, and law?enforcement?access statutes.
5. Risk Rating: Use a simple matrix (Low/Medium/High) to assess the likelihood that the destination’s law will override the SCCs.
6. Document Findings: Record the legal gaps, the impact on data?subject rights, and the justification for any residual risk.
7. Design & Implement Supplementary Measures
8. Technical: End?to?end encryption, tokenisation, secure key?management (keys stored in the EU).
9. Contractual: Add clauses prohibiting the importer from complying with foreign government requests without prior EU?DPA approval.
10. Organisational: Conduct regular audits, train staff on the “no?disclosure” policy, and set up a rapid?response legal team for government?request challenges.
11. Validate & Record – Have the DPO or senior privacy officer sign?off that the combined SCC?+?supplementary measures meet the “essentially equivalent” standard. Store the TIA file with the transfer contract.
12. Monitor & Review – At least annually (or when the legal landscape changes), reassess the TIA and update supplementary measures accordingly.

Common Mistakes

CIPP Exam Insights

1. Schrems?II Trigger – The exam loves to ask which additional step is required after the CJEU’s 2020 ruling. Remember: TIA + supplementary measures (not just SCCs).
2. “Essentially Equivalent” vs “Adequate” – A frequent trap: “If a country has an adequacy decision, no supplementary measures are needed.” True, but only if the decision is still in force and the transfer is covered by that decision.
3. Technical vs Contractual Measures – Expect a scenario where encryption alone is insufficient because the key is stored abroad; the correct answer will include a contractual prohibition on government?request compliance.
4. Scope of the TIA – The exam may present a “low?risk” transfer (e.g., public?website analytics) and ask whether a TIA is mandatory. Answer: Only if the transfer tool is SCCs/BCRs and the destination lacks adequacy; otherwise, a DPIA may be enough.

Quick Check Questions

1. Scenario: A French SaaS provider uses an EU?based data centre but outsources backup storage to a U.S. provider that offers “encryption at rest.” The provider has signed SCCs.
   Question: Is a TIA required, and why?
   Answer: Yes. Because the U.S. is not an adequacy country; SCCs alone are insufficient post?Schrems?II, so a TIA must assess U.S. surveillance law and determine supplementary measures (e.g., holding encryption keys in the EU).

2. Scenario: An Irish hospital transfers patient records to a partner clinic in Canada (PIPEDA?approved).
   Question: Does the hospital need to run a TIA?
   Answer: No. Canada has an EU adequacy decision, so the transfer meets the “essentially equivalent” standard without a TIA.

3. Scenario: A German e?commerce site embeds a third?party analytics script hosted in Brazil. The script processes IP addresses and cookie IDs.
   Question: Which GDPR article triggers a DPIA, and does a TIA follow?
   Answer: Art.?35 DPIA is triggered because the processing involves systematic monitoring of a large number of data subjects; a TIA is required only if the transfer uses SCCs/BCRs and Brazil lacks adequacy (which it does).

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?44?50 – Governs all international transfers; Art.?45 (adequacy)-no TIA; Art.?46 (SCCs/BCRs)-TIA required.
2. Schrems?II (2020) – SCCs must be accompanied by a Transfer Impact Assessment and effective supplementary measures.
3. “Adequacy”-“Safe” – Even with an adequacy decision, you must still respect data?subject rights and may need a DPIA for high?risk processing.
4. Supplementary Measure Example: End?to?end encryption with keys stored in the EU (Art.?32).
5. Maximum Fine for Transfer Violations: Up to €20?million or 4?% of global turnover (Art.?83(5)).
6. UK GDPR Parallel: Same TIA requirement under the UK’s “International Transfer” regime (UK?SCCs).
7. BCRs Approval: Requires a DPA?led review and a TIA for each non?adequate destination.
8. Art.?32 Baseline: Confidentiality, integrity, availability, and resilience of processing systems – the technical backbone of supplementary measures.
9. Legal Scan Must Include: Surveillance, national?security, and data?retention statutes (e.g., US?FISA, CLOUD Act).
10. Exam Trap: “If the data is pseudonymised, no TIA is needed.” – Wrong; pseudonymisation reduces risk but does not eliminate the need for a TIA when using SCCs to a non?adequate country.

Takeaway: A Transfer Impact Assessment is the “risk?lens” you apply before you rely on any EU?standard transfer tool. Pair it with concrete, enforceable supplementary measures, document everything, and review annually. Master this flow and you’ll ace the CIPP/E questions – and keep your organization compliant when data crosses borders.