Glossary term
TIA
Also: Transfer Impact Assessment
Assessment of the protection level in the recipient country for data transfers to third countries after Schrems II. Required under SCC, BCR, and Art. 49 derogations. Output: decision whether the transfer may proceed without, with, or not at all.
Method per EDPB Recommendation 01/2020: mapping (R1), identification of transfer tools (R2), protection-level assessment (R3), additional measures (R4), procedural steps (R5), ongoing review (R6).
Practical output: a TIA document per third-country transfer path that rates residual risks and prescribes additional measures (e.g. EU key custody, pseudonymisation). Effectively a small decision memo.
Status 2026: DPF-certified US providers can receive data without a TIA where the categories are covered. Risk-aware companies still run TIA because DPF stability is uncertain.
Related terms
Schrems II
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Cont…
DPIA
Mandatory assessment under GDPR Art. 35 where processing is likely to result in high risk to the rig…
Sovereign cloud
A cloud deployment model that guarantees operational, legal and technical control of data and worklo…
TCO modelling
A structured estimate of the full lifetime cost of a vendor decision, including licence, implementat…
TISAX
Audit standard and exchange platform of the German automotive association (VDA) for information secu…
TPRM
Discipline and tool category for governing risks from external providers (SaaS, cloud, outsourcing, …
Trade-off analysis
The explicit documentation of what each option gives up to deliver its strengths. Good trade-off ana…
AI Act Conformity Assessment
Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed …