Question 23
UnclassifiedWhy might a company conduct a transfer impact assessment even when a standard mechanism is available?
Correct answer: B
Explanation
A standard mechanism alone does not guarantee lawful protection in every transfer. A transfer impact assessment checks whether the mechanism is effective “in context,” including destination-country risks and whether practical safeguards can actually protect the data.
Why each option is right or wrong
A. To ignore the mechanism entirely
B. To evaluate whether the mechanism is effective in context, considering destination-country risks and practical safeguards
Under GDPR Chapter V, a transfer tool such as an SCCs-based transfer is only valid if the protection it provides is not undermined in practice by the law or practices of the destination country. The CJEU in Schrems II (Case C-311/18) and EDPB Recommendations 01/2020 require the exporter to assess, before transfer, whether the recipient country’s surveillance laws, access powers, and available supplementary measures will actually preserve an essentially equivalent level of protection. The assessment is therefore done to test the mechanism’s real-world effectiveness in that specific destination, not merely its formal availability.
C. To avoid documenting any concerns
D. Because TIAs apply only to domestic transfers