Contact

Transfer Impact Assessments Under the New SCCs: What You Need to Know

Published
10 Jun 2022
Read time
4 min read
Category
Europe, Law

The New SCCs require organisations to undertake a transfer impact assessment before completing a transfer of personal data from within the European Economic Area to any third country. Read on to learn how to complete a transfer impact assessment:  

Steps to Undertake a Transfer Impact Assessment 

There are three essential steps you need to perform to undertake a transfer impact assessment:  

Step 1: Know and Understand Your Transfer 

To truly know and understand your transfer, you must know:  

  • Who is the data importer; 
  • What services the data importer provides; 
  • The nature of the processing activities the data importer will perform on your behalf;  
  • What categories of personal data are being transferred;  
  • Why the data is being transferred;  
  • Whether the data is encrypted or pseudonymised;  
  • If the data will be stored in or accessed by a third country;  
  • What protections the data importer has implemented. 

Step 2: Consider the Laws in the Third Country  

The GDPR requires that data being transferred out of the EU is protected by ‘essentially equivalent’ protections in the third country it is transferred to. A key part of this is identifying the mechanism being relied on to transfer the data. In many cases, this will be the European Commission’s SCCs. 

The SCCs require:  

The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. In this context, laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 should not be considered as being in conflict with the standard contractual clauses. The parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements. 

To achieve this in practice, organisations should assess the risk of lawful access to the data being transferred to a third country, including:  

  • Identifying the comprehensive data protection/privacy law (if any);  
  • Whether the data importer is contractually required to defend the personal data against access attempts; 
  • What the laws in the third country state about governmental access to imported data;  
  • Whether the objectives pursued by public authorities are necessary and proportionate;  
  • What oversight mechanisms exist in the third country;  
  • Whether individuals have effective legal remedies relating to their data;  
  • What notification requirements are in place;  
  • Whether individual rights to redress exist in the third country.  

Step 3: Identify and Document the Safeguards 

Wherever a risk exists that the data will be accessed in a third country, organisations must implement adequate safeguards against that risk. Where this is not possible, they must not complete the data transfer.  

The safeguards can be technical, contractual, or organisational and may include: 

  • Deciding whether it is feasible for the data exporter to transfer personal data to a whitelisted country instead of a (less safe) third country;  
  • Ensuring the data is adequately protected using technical methods such as encryption and access control (amongst others); 
  • Requiring the data importer to supply certificates and/or reports relating to security and security breaches;  
  • Requiring that the data importer/processor take certain steps when hiring and training personnel who may access the data, such as background checks or annual privacy training; and 
  • Implementing cross-functional diligence requirements so third parties in third countries cannot transfer on personal data without first engaging in a transfer risk assessment and without first obtaining consent. 

Finally, bear in mind that it is not sufficient to complete a transfer impact assessment once and rely on it into the future. You need to refresh the TIAs regularly since the laws of third countries are likely to change over time.  

If you need help meeting your privacy and data protection obligations, reach out.  

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.