This is a smart document generation tool that will guide you through the Transfer Impact Assessment template created by the French DPA – CNIL. 

Based on your answers next questions will be revealed. If you have any questions let us know at 


  • Pre-evaluation
  • Final
Radio Buttons
Is the data in question personal data?
Art. 4 (1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

See additional resources here and here

Are the three criteria from the EDPB guidelines (5/2021) cumulatively present? Please check the applicable boxes:


What is the qualification of the actor implicated?
Does the transfer comply with the principles of the GDPR and, particular, can you minimise the amount of personal data transferred or transfer anonymised data rather than personal data?
Consider all GDPR principles, especially the legal basis of the processing. Make sure the data is strictly necessary for the purposes for which it is transferred.
Can your data be transferred to a country that has been recognised by the European Commission as offering an adequate level of protection?
Transfers of personal data to countries that have been recognised by the European Commission as offering an  adequate level of protection do not require the implementation of supplementary measures. If you are thus able to transfer personal data to such a country, this will ensure an adequate level of protection for the data in question. In this case, you will not need to carry out a TIA.
Please note that adequacy decisions may have a limited scope (for example, Canada's adequacy decision only applies to private sector organisations that process personal data in the course of commercial activities) or  concern only certain self-certified entities in the concerned country (for example, self-certified entities under the adequacy decision for the United States). It is therefore up to you to check that the planned transfer is covered by the adequacy decision.
You should also bear in mind that adequacy decisions are subject to periodic review. You should therefore regularly check the list of countries that have been the subject of an adequacy decision in case new decisions have been adopted, or countries have been removed from the list.

See the full list of the countries covered bt an adequacy decision.


Tags: template