LIVE · v1.1 STABLE
BUILD 2026.05.27
CHAPTER V
AGPL-3.0 · 12 EVAL CASES · 89 ASSERTIONS

THIRD-COUNTRY
TRANSFERS
by SIX-STEP
METHOD.

Runs the EDPB Recommendations 01/2020 six-step assessment on a Chapter V transfer. Transfer qualification, Art. 45 adequacy fast-track, Art. 46 full assessment, four essential guarantees, balanced Art. 49 derogation, and RoPA interchange delta — across 12 country profiles.

GDPR CHAPTER V   ·   ART. 44–49   ·   EDPB REC 01/2020   ·   EDPB REC 02/2020   ·   EDPB GUIDELINES 05/2021   ·   EDPB GUIDELINES 2/2018   ·   CNIL TIA GUIDE 2025   ·   SCHREMS II C-311/18   ·   EU-US DPF 2023/1795   ·   OLG MÜNCHEN 21 U 3882/25 E   ·   ESSENTIAL GUARANTEES   ·   ROSENTHAL METHOD   ·   GDPR CHAPTER V   ·   ART. 44–49   ·   EDPB REC 01/2020   ·   EDPB REC 02/2020   ·   EDPB GUIDELINES 05/2021   ·   EDPB GUIDELINES 2/2018   ·   CNIL TIA GUIDE 2025   ·   SCHREMS II C-311/18   ·   EU-US DPF 2023/1795   ·   OLG MÜNCHEN 21 U 3882/25 E   ·   ESSENTIAL GUARANTEES   ·   ROSENTHAL METHOD
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
TRANSFER QUALIFICATION
EDPB Guidelines 05/2021 three cumulative criteria. Settles whether a Chapter V transfer even exists before any assessment runs; the finding is a deliverable in its own right.
02
ESSENTIAL GUARANTEES
EDPB Recommendations 02/2020 four-pillar test on each surveillance law: clear rules / necessary & proportionate / independent oversight / effective remedies. Each rated adequate, concerns, or insufficient.
03
COUNTRY PROFILES
12 pre-built jurisdictions — US (non-DPF), US (DPF), UK, India, China, Brazil, Australia, Singapore, Turkey, UAE, South Africa, Russia — plus a generic questionnaire for unlisted countries.
04
PRACTICAL RISK (ROSENTHAL)
Step 3 Block C: importer request history, realistic targeting basis, plaintext-access necessity, realistic authority interest — without a statistical probability engine.
05
BALANCED ART. 49
EDPB Guidelines 2/2018 'last resort' framing set against OLG München 21 U 3882/25 e and the von Danwitz counter-position. Both positions documented as defensible.
06
ROPA INTERCHANGE
Emits a JSON delta conforming to RoPA's interchange-inbound-schema v1.0 — patches tia_ref, tia_status, supplementary_measures, and review dates into the RoPA sidecar.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Ten structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Transfer qualification gate
Apply the three cumulative criteria of EDPB Guidelines 05/2021. Fail any → output a Transfer Qualification Finding; Chapter V does not apply, but Art. 5/24/32 still bind.
02
TIA requirement check
Art. 45 adequacy → lightweight path. Art. 49 derogation → derogation path. Art. 46 tool (SCCs, BCRs, ad hoc) → full TIA from Step 1.
03
Step 1 — Know your transfer
Capture exporter, importer, country, data categories, subjects, purpose, volume, frequency, format, onward transfers. Flag each onward hop for separate assessment.
04
Step 2 — Identify the tool
Document the Chapter V mechanism and execution dates. Then ask whether any Art. 49 derogation could serve as a primary or backup basis.
05
Step 3 — Assess third-country law
Block A data-protection framework, Block B essential-guarantees rating per surveillance law, Block C practical risk to this data.
06
Step 3 conclusion — three-way fork
Tool effective → Step 6. Tool ineffective → Step 4. Ineffective on paper but no realistic basis the law applies → Step 6 with substantive, non-boilerplate justification (CNIL option 3).
07
Step 4 — Supplementary measures
Auto-suggest measures matched to identified gaps. Assess effectiveness, not mere presence. If gaps stay open → restructure or suspend.
08
Step 5 — Implementation plan
Measures, owners, due dates, SCC Annex II edits and side letters, encryption / pseudonymisation pipelines, timeline.
09
Step 6 — Re-assessment triggers
Standing triggers (adequacy review, DPF fragility), event-driven (new law, SA action, government request), periodic (12-month default). Set next review date.
10
Output generation
Markdown report, .docx formal TIA with CNIL-style tables and sign-off block, JSON delta for RoPA, and a one-page Transfer Risk Summary for batches.
§ 03 · MODES

FOUR PATHS.
One OUTCOME.

Match the workflow to the situation. The skill router picks automatically; you can override.

ADEQUACY FAST-TRACK
Destination has an Art. 45 decision. Lightweight: document the decision, conditions, expiry, and DPF fragility — no full TIA required.
FULL ART. 46
SCCs, BCRs, ad hoc clauses, codes, or certifications. Runs the complete six-step pipeline including the essential-guarantees and practical-risk assessment.
ART. 49 DEROGATION
Balanced derogation analysis. EDPB Guidelines 2/2018 position against OLG München / von Danwitz counter-position; document which basis the practitioner relies on.
QUALIFICATION ONLY
'Is this even a transfer?' Applies the three cumulative criteria and returns a Transfer Qualification Finding without running the pipeline.
§ 04 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof. 

tia/
├── evals  # Test cases + assertions
│   └── evals.json  # 12 cases, 89 assertions
├── references  # Reference corpus
│   ├── country-profiles
│   │   ├── ae.md
│   │   ├── au.md
│   │   ├── br.md
│   │   ├── cn.md
│   │   ├── generic-assessment.md
│   │   ├── in.md
│   │   ├── ru.md
│   │   ├── sg.md
│   │   ├── tr.md
│   │   ├── uk-post-adequacy.md
│   │   ├── us-dpf.md
│   │   ├── us-non-dpf.md
│   │   └── za.md
│   ├── art49-derogations.md
│   ├── edpb-six-steps.md
│   ├── essential-guarantees.md
│   ├── interchange-delta.md
│   ├── schrems-ii-holdings.md
│   ├── sources.md
│   ├── supplementary-measures.md
│   ├── tia-template.md
│   └── transfer-qualification.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 05 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire tia/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r tia/ \
   ~/.claude/skills/user/
§ 06 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Markdown TIA Report
In-session preview and working document. Sections mirror Steps 1–6.
.docx Formal TIA
Compliance-file document using the tia-template structure: CNIL-style tables, cover page, assessor + DPO sign-off block, country-profile annex.
JSON Interchange Delta
Sidecar conforming to interchange-inbound-schema v1.0. Patches tia_ref, tia_status, supplementary_measures[], tia_completed_date, tia_review_date. Lands in RoPA's inbound folder.
Transfer Risk Summary
One-page executive overview for batch assessments. Per-transfer row: destination, mechanism, verdict, key risk, measures. No numerical scores.
Transfer Qualification Finding
Standalone deliverable documenting which criterion fails and why Chapter V does not apply — proof the question was assessed.
§ 07 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

12
Test Cases
89
Assertions
100%
Coverage Required
01
We're an Austrian company
8 ASSERTS
02
Our French employee George travels to Brazil for a one-week conference
7 ASSERTS
03
We're a German manufacturer transferring HR data of EU employees to our Japanese...
7 ASSERTS
04
We're a German company that wants to use a US-based vendor listed as DPF-certifi...
6 ASSERTS
05
We're an Italian retailer using a US-based marketing analytics SaaS (NOT DPF-cer...
8 ASSERTS
06
We're considering moving our customer data warehouse to a Chinese cloud provider...
8 ASSERTS
07
We operate a global social media platform
7 ASSERTS
08
We're a small German legal firm (12 lawyers) using a niche Indian legal-research...
8 ASSERTS
§ 08 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

GDPR Chapter V (Arts. 44–49)
Statutory basis for third-country transfers.
EDPB Recommendations 01/2020 v2.0
Six-step methodology for supplementary measures (18 June 2021).
EDPB Recommendations 02/2020
Four essential guarantees for surveillance law (10 November 2020).
EDPB Guidelines 05/2021 v2.0
Three cumulative criteria for transfer qualification (14 February 2023).
CJEU C-311/18 (Schrems II)
Adequacy invalidation and the pre-transfer TIA obligation (16 July 2020).
OLG München, 21 U 3882/25 e
Art. 49(1)(b) accepted for inherently international services (11 May 2026).
§ 09 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every guarantee rating, every Step 3 conclusion, every derogation verdict traces back to a cited EDPB, CNIL, CJEU, or national-court authority.
VERIFIED
Reproducible assessments.
Workspace checkpoints after every step; resume from state.json and recreate the TIA years later for audit or litigation.
IMMUTABLE
Effectiveness before sign-off.
Supplementary measures are tested for whether they actually close the gap — not merely listed — before any document ships.
ENFORCED
**
EU-native.
Built around EDPB Recommendations, CNIL tables, and emerging EU national case law. Not a retrofitted US-centric checklist.
NATIVE
§ 10 · README.MD

TIA (Transfer Impact Assessment) — Deployment Guide

Overview

GDPR Transfer Impact Assessment skill — structured Chapter V transfer guidance for Claude. Combines:

  • EDPB Recommendations 01/2020 six-step methodology (regulatory backbone)
  • CNIL TIA Guide (final version, January 2025) — structured assessment tables and three-way Step 3 conclusion
  • EDPB Recommendations 02/2020 — four essential guarantees framework for surveillance-law assessment
  • EDPB Guidelines 05/2021 — three cumulative criteria for transfer qualification, with 12 example scenarios
  • Rosenthal method influence — pragmatic Step 3 Block C ("realistic risk to this data") without statistical probability calculations
  • 12 pre-built country profiles — US (non-DPF), US (DPF), UK, India, China, Brazil, Australia, Singapore, Turkey, UAE, South Africa, Russia + generic questionnaire
  • Balanced Art. 49 treatment — EDPB Guidelines 2/2018 + OLG München (21 U 3882/25 e, 2026) judicial counter-position
  • Audit-ready output — Markdown report + .docx formal document + JSON delta for RoPA interchange

File Structure

skills/tia/
├── SKILL.md                              # Main skill instructions (deploy this)
├── CHANGELOG.md                          # Version history
├── README.md                             # This file
├── evals/
│   └── evals.json                        # 12 behavioural test cases
└── references/
    ├── edpb-six-steps.md                 # EDPB Rec 01/2020 methodology
    ├── essential-guarantees.md           # EDPB Rec 02/2020 four-pillar framework
    ├── transfer-qualification.md         # EDPB Guidelines 05/2021 — 3 criteria + 12 examples
    ├── art49-derogations.md              # Art. 49 balanced assessment (EDPB + judicial)
    ├── supplementary-measures.md         # Catalog (technical / contractual / organisational)
    ├── schrems-ii-holdings.md            # C-311/18 key holdings + implications
    ├── tia-template.md                   # Document template structure
    ├── interchange-delta.md              # RoPA delta format
    ├── sources.md                        # Regulatory source references
    └── country-profiles/
        ├── us-non-dpf.md                # USA outside DPF
        ├── us-dpf.md                    # USA DPF-certified
        ├── uk-post-adequacy.md          # UK (adequacy renewed Dec 2025)
        ├── in.md                        # India
        ├── cn.md                        # China
        ├── br.md                        # Brazil
        ├── au.md                        # Australia
        ├── sg.md                        # Singapore
        ├── tr.md                        # Turkey
        ├── ae.md                        # UAE (DIFC / ADGM / mainland)
        ├── za.md                        # South Africa
        ├── ru.md                        # Russia
        └── generic-assessment.md        # Guided questionnaire for unlisted countries

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent).
  2. Upload the entire tia/ folder structure.
  3. The skill triggers on "TIA", "Transfer Impact Assessment", "Schrems II", "third-country transfer", "Art. 46", "Art. 49", and similar terms.

Claude Code / Custom Setup

# Symlink the skill from the monorepo
ln -s ~/CLAUDE_PROJECTS/SKILLS/claude-skills/skills/tia ~/.claude/skills/tia

Usage

Quick Start

Example prompts that trigger the skill:

  • "We're using SCCs Module 2 to transfer HR data to our payroll processor in India. Do I need supplementary measures?"
  • "I need a TIA for our US cloud provider — they're DPF-certified."
  • "Is remote support access from our Indian sub-processor considered a Chapter V transfer?"
  • "Can we rely on Art. 49(1)(b) for our global SaaS user data flows to the US?"

Trigger Phrases

  • "TIA", "Transfer Impact Assessment"
  • "Schrems II", "Chapter V"
  • "Art. 44 / 45 / 46 / 47 / 49"
  • "transfer to [country]" (US, India, China, etc.)
  • "SCCs assessment", "BCRs"
  • "supplementary measures"
  • "DPF transfer", "EU-US Data Privacy Framework"
  • "adequacy decision"
  • "essential guarantees"
  • "Drittlandsübermittlung", "Drittlandtransfer"

Assessment Modes

Mode When Output
Single transfer assessment One known transfer Markdown + .docx TIA
Batch / registry Multiple transfers Registry + per-transfer pipeline + Transfer Risk Summary
Discovery (standalone) No RoPA, multiple transfers Discovery walkthrough → registry → assessments
RoPA import Has RoPA sidecar Import transfers → assess each
Adequacy fast-track Destination has adequacy Lightweight assessment + monitoring triggers
Art. 49 path Derogation potentially applies Balanced assessment (EDPB + judicial)
Transfer qualification only "Is this even a transfer?" Qualification finding
Review / update Existing TIA + legal change Re-assessment of affected sections

Outputs

Format Purpose
Markdown TIA Report In-session preview, working document
.docx Formal TIA Document Compliance file, CNIL-style tables, sign-off block
JSON Delta RoPA interchange — patches tia_ref, tia_status, supplementary_measures[], dates
Transfer Risk Summary One-page executive overview for batch assessments

Regulatory Basis

Document Reference Purpose
GDPR Chapter V Arts. 44–49 Statute
Schrems II CJEU C-311/18 (16 July 2020) Adequacy + TIA obligation
EDPB Rec 01/2020 v2.0 (18 June 2021) Six-step methodology
EDPB Rec 02/2020 (10 November 2020) Essential guarantees
EDPB Guidelines 05/2021 v2.0 (14 February 2023) Transfer qualification
EDPB Guidelines 2/2018 (25 May 2018) Art. 49 derogations (EDPB view)
CNIL TIA Guide January 2025 (final) Practical structured tables
OLG München, 21 U 3882/25 e (11 May 2026) Art. 49(1)(b) for global services
Implementing Decision (EU) 2023/1795 (10 July 2023) EU-US DPF adequacy

Cross-Skill Integration

Skill Direction What flows
RoPA Inbound Read sidecar; filter third-country transfers; pre-populate Step 1
RoPA Outbound Emit delta file per assessed transfer (conforming to RoPA inbound schema v1.0)
DPIA Sentinel Flag only If Step 3 reveals high-risk processing, flag for Art. 35 DPIA consideration (no auto-trigger)

Version History

See CHANGELOG.md for full version history.

License & Disclaimer

AGPL-3.0. See repository LICENSE.

This skill provides structured GDPR Chapter V guidance based on EDPB Recommendations, CNIL guidance, and emerging case law. It is not legal advice. Involve your DPO and qualified counsel for final decisions, especially where the skill flags a transfer for suspension or restructuring. The skill's country profiles reflect the law and practice as of the "Last verified" date stated in each profile — verify current status before formal use.

Created by Oliver Schmidt-Prietz — OneZero Legal