--- title: "EU GDPR Transfer TIA and SCC Workflow" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow" author: "Sorena AI" description: "A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "GDPR transfers" - "transfer impact assessment" - "TIA" - "SCC" - "standard contractual clauses" - "adequacy decision" - "supplementary measures" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Transfer TIA and SCC Workflow A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. *Workflow* *EU GDPR* ## GDPR transfer TIA and SCC workflow Use this workflow before sending personal data from the EEA to a third country or international organisation without relying only on a contract label. It keeps adequacy checks, SCC module selection, Clause 14 assessment, importer evidence, supplementary measures, and stop-transfer decisions in one auditable transfer record. This workflow is for GDPR Chapter V transfer reviews where personal data leaves the EEA and the team needs to decide whether an adequacy decision is enough, whether standard contractual clauses are needed, and whether the transfer also needs supplementary measures after Schrems II. ## Start with the transfer route Open one transfer record for each distinct exporter, importer, destination country, transfer tool, data set, and processing purpose. Do not group unrelated vendors or destinations into one generic TIA because the SCC assessment depends on the transfer's specific circumstances. First decide whether the destination is covered by a current adequacy decision for the relevant recipient and sector. If it is, record the adequacy route and keep evidence that the recipient actually falls inside the decision. If it is not, move to the Article 46 transfer-tool review. - Record the exporter, importer, onward recipients, destination country, storage location, transmission channel, and whether the recipient is a controller, processor, or sub-processor. - Identify the personal data categories, data-subject groups, special-category or criminal-offence data, transfer frequency, retention period, and business purpose. - Check whether an adequacy decision applies to the destination and recipient type; for the United States, record whether the organisation participates in the EU-US Data Privacy Framework if that is the claimed route. - If adequacy does not cover the transfer, identify the Article 46 tool, usually the 2021 SCCs, and preserve the reason Article 49 derogations were not used as the operating basis. Sources for this answer: - [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Grounds the adequacy gate: an adequacy decision lets personal data flow to the covered third country without further safeguards, while the listed scope must still be checked. - [European Commission - EU-US data transfers](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en?ref=sorena.io) - Grounds the EU-US branch of the workflow for companies participating in the EU-US Data Privacy Framework. - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Grounds the Chapter V transfer categories: adequacy decisions, appropriate safeguards, and derogations. ## Build the SCC package before the TIA conclusion Where the transfer uses SCCs, the contract package should identify the right module and complete the appendices before the team signs off the transfer assessment. Empty annexes, generic security descriptions, or missing onward-transfer details make the assessment hard to defend. The 2021 SCCs use a modular structure for different transfer scenarios. The workflow should therefore tie the selected module to the actual exporter/importer roles, then attach the transfer details, technical and organisational measures, sub-processor information where relevant, and competent supervisory authority details. - Select the SCC module that matches the transfer: controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller. - Complete Annex I with parties, transfer description, categories of personal data, data subjects, purposes, retention, recipients, and competent supervisory authority. - Complete Annex II with specific technical and organisational measures for this transfer, not a generic security-policy reference. - Complete Annex III where sub-processors are part of the chosen module and authorisation model. - Record who can approve SCC signature, who can update annexes, and who receives importer notices about inability to comply or public-authority access requests. Sources for this answer: - [Commission Implementing Decision (EU) 2021/914 - Standard Contractual Clauses](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Grounds the SCC package requirements, including the modular approach, annexes, transfer details, and specific technical and organisational measures. - [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Provides the Commission SCC resource page used to locate SCC materials for international data transfers. ## Run the transfer impact assessment The TIA should answer one narrow question: in the circumstances of this transfer, can the chosen Article 46 tool work effectively in the destination country, or do local laws and practices undermine the protection promised by the SCCs? Schrems II and the SCCs require a case-by-case assessment. The record should cover the transfer facts, the destination-country laws and practices relevant to the importer and data, the importer evidence, and any safeguards already in place. - Use the EDPB sequence: know the transfers, verify the transfer tool, assess destination laws and practices, identify supplementary measures if needed, take required procedural steps, and re-evaluate at appropriate intervals. - For Clause 14, record the transfer circumstances, processing-chain length, transmission channels, recipient type, purpose, data categories and format, sector, storage location, relevant destination-country laws and practices, and existing safeguards. - Ask the importer for objective, reliable, relevant, verifiable, and lawfully shareable information about public-authority access risks, prior requests where usable, challenge procedures, transparency limits, and technical controls. - Do not treat absence of past access requests as decisive by itself; corroborate it with public or otherwise accessible information where the assessment relies on importer experience. - Have legal or privacy leadership approve the assessment report, including the sources checked, people involved, dates of checks, conclusion, and residual risk. Sources for this answer: - [EDPB Recommendations 01/2020 on supplementary measures](https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer%5Fen?ref=sorena.io) - Grounds the exporter workflow for assessing third-country laws and practices and documenting supplementary-measure decisions. - [Commission Implementing Decision (EU) 2021/914 - Standard Contractual Clauses](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Grounds Clause 14 factors for assessing local laws and practices and the importer cooperation obligation. - [CJEU Schrems II judgment, Case C-311/18](https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN&ref=sorena.io) - Grounds the case-by-case obligation to consider both SCC commitments and the destination country's legal system. ## Decide, supplement, suspend, or stop The workflow should end in an explicit transfer decision, not a vague risk note. A transfer can proceed under SCCs only when the team can explain why the SCCs, together with any supplementary measures, ensure the required level of protection for that transfer. If destination laws or practices prevent the importer from complying and effective supplementary measures cannot close the gap, the record should say that the transfer must not start or must be suspended or ended. - Proceed under adequacy only when the adequacy decision covers the destination, recipient, sector, and transfer facts recorded for the workflow. - Proceed under SCCs without extra measures only when the TIA documents why the destination laws and practices do not undermine the SCCs for this transfer. - Proceed under SCCs with supplementary measures only when the measures are specific, effective for the identified risk, and do not contradict the SCCs. - Use technical, contractual, and organisational measures as needed, but record why each measure works for the actual data, importer, destination law, and processing purpose. - Suspend, end, or do not start the transfer when no effective supplementary measure can ensure the required level of protection, or when the importer can no longer comply with the SCCs. Sources for this answer: - [EDPB Recommendations 01/2020 on supplementary measures](https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer%5Fen?ref=sorena.io) - Grounds the supplementary-measure decision and the obligation to avoid, suspend, or terminate transfers where no effective measure is available. - [Commission Implementing Decision (EU) 2021/914 - Standard Contractual Clauses](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Grounds SCC consequences when the importer cannot comply, including suspension, termination, return, or deletion. - [CJEU Schrems II judgment, Case C-311/18](https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN&ref=sorena.io) - Grounds the requirement that SCC transfers be suspended or prohibited if the required EU level of protection cannot be ensured. ## Evidence to keep with each transfer record A useful transfer record lets privacy, legal, vendor-management, and security teams reconstruct the decision without searching email threads. Keep the evidence close to the vendor or system record so it is updated when the service, country, subprocessors, or data categories change. Reopen the workflow when the transfer facts change, the importer reports an inability to comply, there is a new or changed public-authority access risk, supplementary measures stop working, SCC annexes change, or adequacy coverage changes. - Transfer map: exporter, importer, onward recipients, countries, systems, purposes, data categories, data-subject categories, frequency, retention, and storage locations. - Adequacy evidence: decision relied on, scope match, recipient participation evidence where relevant, and date the scope was checked. - SCC evidence: signed module, completed Annex I, Annex II, Annex III where relevant, competent supervisory authority entry, and owner for annex updates. - TIA evidence: laws and practices assessed, importer materials, public or accessible corroborating sources, practical-experience analysis if used, approver, dates, conclusion, and next review trigger. - Supplementary-measure evidence: measure owner, implementation proof, control test, importer commitment, residual risk, and stop-transfer condition. - Operational evidence: process for public-authority request notices, challenge steps, inability-to-comply notices, suspension decisions, termination, return, and deletion. Sources for this answer: - [EDPB Recommendations 01/2020 on supplementary measures](https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer%5Fen?ref=sorena.io) - Grounds the evidence expectation that assessments and supplementary measures be documented and made available to authorities on request. - [Commission Implementing Decision (EU) 2021/914 - Standard Contractual Clauses](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Grounds evidence fields for SCC annexes, importer documentation, public-authority request records, and specific security measures. - [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Grounds the adequacy evidence check and review trigger because adequacy decisions can be maintained, amended, or withdrawn. *Recommended next step* *Placement: before sources* ## Use this workflow to structure GDPR transfer records Sorena can help convert SCC packages, importer evidence, TIA conclusions, and supplementary-measure controls into reusable transfer records for GDPR work. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about adequacy, SCCs, TIA evidence, and supplementary measures using the cited sources on this page. - [Talk through GDPR transfer implementation](/contact.md): Review your transfer route, SCC annexes, importer evidence, and supplementary-measure gaps with Sorena. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Chapter V transfer routes, including adequacy decisions, appropriate safeguards, and derogations. - Quote: "transfers of personal data to third countries" - [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Commission page used for adequacy-decision scope and effect in the transfer workflow. - Quote: "without any further safeguard being necessary" - [European Commission - EU-US data transfers](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en?ref=sorena.io) - Commission page used for the EU-US Data Privacy Framework adequacy branch. - Quote: "companies in the United States that participate" - [Commission Implementing Decision (EU) 2021/914 - Standard Contractual Clauses](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Legal act containing the 2021 SCCs, modular structure, Clause 14 local-law assessment, Annex requirements, and transfer suspension/termination mechanics. - Quote: "the specific circumstances of the transfer" - [EDPB Recommendations 01/2020 on supplementary measures](https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer%5Fen?ref=sorena.io) - EDPB recommendations used for the transfer assessment sequence, supplementary-measure evaluation, documentation expectations, and stop-transfer outcomes. - Quote: "conduct this assessment with due diligence" - [CJEU Schrems II judgment, Case C-311/18](https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN&ref=sorena.io) - Court judgment grounding the requirement to assess SCC transfers in light of the destination country's legal system and suspend or prohibit transfers when the required protection cannot be ensured. - Quote: "suspended or prohibited" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow