What is a TIA?
A Transfer Impact Assessment (TIA) is the documented case-by-case analysis that an EU/EEA data exporter must conduct before relying on SCCs, BCRs or other Article 46 transfer tools to send personal data to a “third country.” The TIA requirement comes from the CJEU’s Schrems II judgment (C-311/18, July 2020) and EDPB Recommendations 01/2020 on supplementary measures.
TIA elements (EDPB six-step methodology)
- Map the transfer: exporter, importer, data categories, purposes, onward transfers.
- Identify the transfer tool: SCCs, BCRs, derogations (Article 49).
- Assess third country law: particularly government access (intelligence, law enforcement) and effective remedies for data subjects.
- Identify supplementary measures if the legal framework is inadequate: technical (encryption with keys held in EU), contractual, organisational.
- Procedural steps to adopt the measures (DPA update, vendor commitments).
- Re-evaluate at appropriate intervals.
Common third-country findings
- US: historically problematic (FISA 702, Executive Order 12333); now improved under DPF for participating organisations.
- India, China, Russia: generally require strong supplementary measures or alternative architectures.
- UK, Switzerland, Israel: covered by adequacy — no TIA needed for transfers to these.
Türk şirketleri için
Türkiye AB tarafından adequacy listesinde değildir; AB veri ihracatçıları Türkiye’ye transfer için SCC + TIA gerektirir. TIA, Türkiye’deki devlet erişim mevzuatını (özellikle MASAK, MİT Kanunu, 5651 Sayılı Kanun), KVKK Kurulu denetim yetkilerini ve veri sahibi etkili çareleri değerlendirir. Türk veri ithalatçıları için TIA dosyasını desteklemek (importer questionnaire, sub-processor disclosure, encryption-at-rest belgeleri) AB müşteri kazanmanın pratik şartıdır.
Do: conduct TIAs as living documents, refreshed when third-country law or transfer architecture changes.
Don’t: rely on a generic “we use SCCs” statement — Schrems II requires the documented assessment, not just the contract.