Recital 101 of the GDPR states that personal data transferred from the EU to third-country controllers, processors, or international organizations must receive the same level of protection as guaranteed by the GDPR. This principle, demanding equivalent protection for personal data transferred outside of the EU, necessitates the evaluation of the adequacy of third-country data protection regimes. This evaluation can be conducted through a Transfer Impact Assessment (TIA) and data exporters (the ‘exporter’) are obligated to conduct it. As per the GDPR, personal data can be transferred outside the EU using appropriate safeguards, such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs).
The Commission Nationale Informatique & Libertés (CNIL) in France has released a Practical Guide on Transfer Impact Assessment (TIA) to assist data exporters in conducting effective TIAs. Based on the guidance provided in the CNIL's recent publication, this blog explores the necessary steps and factors to consider when performing a TIA.
Summary: Key Compliance Measures for Businesses Handling Cross-Border Data Transfers
- Businesses should first ascertain whether they are legally obligated to conduct a TIA when engaging in cross-border transfers of personal data.
- If deemed a responsible party, businesses are required to perform a TIA before transferring personal data across borders, except in cases where an adequacy decision exists or when relying on specific derogations outlined in Article 49 of the General Data Protection Regulation (GDPR).
- Businesses must follow a comprehensive, step-by-step methodology (detailed below) to effectively execute and document the TIA.
1. Preparing for TIA
Before carrying out a TIA, the exporter needs to verify the following elements:
(a) Qualification of Data as Personal Data: The exporter should ensure that the data being transferred is personal data. The GDPR defines personal data as any personal information related to an identified or identifiable natural person, such as name, location data, etc.
(b) Existence of Transfer of Personal Data: The EDPB outlines three cumulative criteria for a processing operation to qualify as a data transfer under the GDPR:
(i) the exporter (controller, joint controller, or processor) is subject to the GDPR,
(ii) the exporter discloses or makes available personal data to an importer, and
(iii) the importer is in a third country (non-EEA) or an international organization.
Note that a transfer requires two legally distinct entities, and intra-entity data access does not count as a transfer.
2. Need to Carry Out a TIA
A TIA is required before transferring personal data to a third country using Article 46 GDPR tools, like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). However, no TIA is needed when:
(a) Adequacy Decision: The European Commission recognizes the destination country as providing adequate data protection so that no transfer tools or supplementary measures are needed. However, adequacy decisions may have a limited scope, like Canada’s adequacy decision, which applies only to private-sector organizations processing personal data for commercial purposes. If a transfer falls outside the scope of an adequacy decision given the decision’s limited scope, a TIA must be carried out.
(b) Article 49 Derogations: Transfers under the GDPR Article 49 derogations, such as the data subject’s explicit consent and necessity of transfer for the public interest, do not require a TIA but the transfers must comply with the conditions in that article. The EDPB emphasizes that these derogations should be used only in specific cases and must meet the strict necessity test.
3. Parties Responsible for Carrying Out a TIA
The exporter, whether acting as a controller or processor, is responsible for conducting the TIA, ensuring the data receives equivalent protection in the third country. The importer must assist the exporter by providing relevant information and legal insights. Several cases can be distinguished based on the role of each party in the processing.
(a) EEA Controller Exporting Data to Third-Country Processor: The EEA controller, acting as the exporter, must conduct the TIA with the processor’s assistance. The processor must provide the controller with relevant information, including reports on government data access and local legal frameworks.
(b) EEA Processer Exporting Data on Behalf of EEA Controller to Third-Country Sub-Processor: In this case, the processor acts as the exporter and is responsible for conducting the TIA. As per the GDPR, the processor must provide the EEA controller with the necessary information to demonstrate compliance, including the complete TIA. Ultimately, it remains on the controller to decide whether to engage the processor and sub-processor, ensuring that appropriate technical and organizational security measures are implemented to protect data subject rights. The controller’s level of scrutiny depends on the risk to data subjects' rights and freedoms.
(c) EEA Controller Exporting Data to Third-Country Controller: The EEA-based controller, acting as an exporter, is responsible for ensuring EEA equivalent protection of the data and must conduct the TIA with the assistance of the third-country controller, acting as the importer.
4. TIA Scope and Onward Transfers
The first step in the TIA is mapping data transfers to identify the importer and the third country. It allows the data exporter to identify the supplementary measures to be put in place. The exporter must consider the entire data flow, including onward transfers, to assess risks for all data leaving the EEA. If the exporter is a processor, it must share this with the controller. Onward transfers are also subject to compliance with the Article 46 GDPR transfer tool, such as SCCs, which require the importer not to disclose data outside the EU unless specific conditions are met.
5. Compliance of Transfer with GDPR Principles
Data transfers must comply with all GDPR principles. The controller needs to ensure the transfer is lawful based on one of the legal bases stipulated under the GDPR and that the data is adequate, relevant, and limited to what is necessary for processing purposes. Data subjects must also be informed about the processing of their personal data in accordance with the rights granted to them under the GDPR Articles 13 and 14. It is also preferable, where possible, to disclose or transmit anonymized data in place of personal data while ensuring that the anonymization process is used effectively for identification.
6. Different steps of the TIA
The following six steps need to be followed to carry out the TIA:
|
Step
|
Description
|
Key Information to Collect
|
| Description of the Transfer |
This step focuses on gathering comprehensive details about the data transfer to assess its characteristics and sensitivity. |
(i) Exporter Details: Name, contact details, exportation country, exporter qualification, and if applicable, details of the controller or joint controllers.
(ii) Importer Details: Name, contact details, importation country, importer qualification, and nature of importer’s activities, including details of joint controllers or processors.
(iii) Transfer Details: Processing activities performed by the importer on transferred data, transfer method, transfer format, transfer frequency, possibility of onward transfers, and types of personal data transferred (including personal data and special categories of personal data).
(iv) Data Subject Details: Categories of data subjects, including vulnerable individuals, transfer scope (total/partial), and if possible, data volume, number of subjects, and start/end dates or duration of the transfer.
|
| Identification of Transfer Tool Used |
This step involves identifying the specific legal mechanism used for the data transfer, as outlined in Article 46 of the GDPR, to evaluate its effectiveness and adequacy. |
(i) Article 46 Transfer Tools Used: Specific tools used like SCCs, BCRs, or Codes of Conduct.
(ii) Evidence and Documentation of the Transfer Tools: Evidence and documentation of the transfer tools in place, such as signed contracts with data importer or BCR copies with the list of entities forming part of the BCRs.
|
| Assessment of the Destination Country’s Legislations and Practices |
This step entails an evaluation of whether the destination country's legislation and practices weaken the chosen transfer tool's effectiveness, involving the importer in analyzing local data access laws. |
(i) Data Protection Legislation Overview: Scope of third country’s data protection legislation, third country's participation in international data protection treaties, existence and independence of a data protection authority, data subject rights, and remedies.
(ii) Laws and/or Practices Allowing Access to Data: Laws requiring data disclosure to public authorities (including information about concerned authority, scope, and nature of obligation), clarity and precision of data access rules, necessity and proportionality of access as per the GDPR, independent data access monitoring, and availability of effective remedies for the data subjects.
|
| Identification & Adoption of Supplementary Measures |
This step involves the identification and adoption of additional safeguards to ensure compliance with EEA data protection standards. |
(i) Documentation of Existing and Proposed Supplementary Measures: Document current and potential technical, contractual, and organizational safeguards against potential third-country data access, gathered through stakeholders’ (Chief Information Systems Officer and legal or technical experts) input.
(ii) Effectiveness Check: Confirm if the supplementary measures provide data protection equal to the EEA standards; stop the data transfer if they don't.
|
| Implementation of Supplementary Measures |
This step focuses on outlining the practical steps and actions needed to effectively implement the identified supplementary measures and address the potential implementation challenges. |
(i) Implementation Action Plan: A detailed plan for implementing supplementary measures, including actions, estimated costs, assigned responsibilities, and completion timelines.
(ii) Expert Opinions: Input from the Data Protection Officer and Information Security Officer regarding the implementation.
(iii) Implementation Validation: Formal validation of the implementation by the responsible person, in accordance with internal governance policies.
|
| Re-evaluation at Appropriate Intervals |
This step relates to conducting periodic reviews of the transfer tools and supplementary measures to maintain their effectiveness, adapting to changes in the destination country’s regulatory environment. |
(i) Re-evaluation Schedule: Determination of appropriate review intervals based on factors such as risks to the data subject rights.
(ii) Triggering Events for Re-evaluation: Identification of potential changes (changes to third-country laws, importer’s ability to comply, changes in the European Commission’s assessments) that necessitate immediate reassessment.
(iii) Monitoring Mechanisms: Establishment of processes to monitor legislative and regulatory developments in the destination country to anticipate the need for reassessment.
|
Conclusion
In conclusion, conducting a TIA is crucial to ensure the protection of personal data when transferred to third countries. By carefully assessing the data being transferred, the legal frameworks in the destination country, and implementing supplementary measures where necessary, exporters can mitigate data risks and maintain GDPR compliance. Continuous monitoring of transfers is also essential to address any legal changes and safeguard the rights and freedoms of data subjects.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center. It is a centralized platform designed to facilitate the safe use of data+AI. Thanks to its combination of modules and solutions, it provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Several of the world's most prestigious corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
The Data Command Center comes equipped with individual modules and solutions that are designed to ensure compliance with all major obligations an organization may be subject to. When conducting a TIA, these modules, such as DSR automation, data mapping, vendor assessments, consent management, and privacy impact assessments, can be leveraged to assist in a thorough and comprehensive TIA.
Furthermore, the centralized dashboard allows for real-time insights into an organization's relevant obligations and compliance activities, thereby enabling proactive interventions whenever necessary or convenient for continuous compliance.
Request a demo now and learn more about how Securiti can help you comply with your obligations when conducting a TIA and other data privacy and security-related activities.
