Assessments
Data Transfer Impact Assessment (DTIA)
If a company intends to transfer personal data to a third country that does not have an adequate level of protection, it must first carry out a Data Transfer Impact Assessment, also known as “DTIA”.
When do companies need to conduct a Data Transfer Impact Assessment (DTIA)?
A Data Transfer Impact Assessment (DTIA) is an organisational security measure that companies must take before transferring personal data to a third country, unless the country has an adequate level of protection. In addition, it may also be relevant for indirect data transfers, which many do not think about. For example, if a company uses a cloud service to process personal data, but the cloud service provider has its operations and operations outside the EU/EEA countries. Thus, many everyday services that businesses use can be covered, such as service providers in third countries that provide email services, web analytics tools or CRM systems.
Please note that it is often necessary to prepare a Data Transfer Impact Assessment, even though the company uses the standard contractual clauses developed by the European Commission, also known as “SCC”.
Serious suppliers and public procurements frequently requires Data Transfer Impact Assessments
It is common for companies to have to carry out and document Data Transfer Impact Assessments, as this is often a requirement in order to win a public procurement. In addition, it is not uncommon for serious suppliers and larger companies to demand it from their partners and subcontractors. Conducting impact assessments of data transfers to third countries can also increase trust among customers and employees.
Definition of “third country” and “adequate level of protection”
Third country
A country outside the EU/EEA is referred to as a third country under the GDPR. If a company within the EU/EEA area transfers personal data to a third country, stricter rules apply than if it were a transfer between two actors within the Union.
Adequate level of protection
Companies may transfer personal data to a third country without having to take any additional safeguards, if that third country has an adequate level of protection. Please note that this can only be decided by the European Commission, in accordance with Article 45 of the GDPR. In addition, it does not necessarily have to be a country for which the adequacy decision is given, but may also refer only to a specific territory of a third country. For the assessment, the European Commission is looking at, among other things, whether there are independent supervisory authorities for data protection issues in that third country. The decision is also based on the legal possibilities for data subjects, if the third country respects human rights, etc. A list of the respective third countries with an adequate level of protection is published on the European Commission's website.
Purpose of carrying out an impact assessment on data transfers
The purpose of drawing up the impact assessment is to evaluate whether the recipient third country has a sufficient level of protection of personal data in line with EU requirements. For example, what legal opportunities the data subjects have to exercise their rights, laws regarding surveillance in society, legal certainty in the country, etc.
What should be included in a Data Transfer Impact Assessment?
Mapping
First of all, it is necessary to start by mapping and identifying the types of personal data that will be transferred. Among other things, the scope, the purpose, through which systems and the recipient country. Keep in mind that it is important to make a proper mapping of the planned data transfer and the actors involved.
Recipient country
A Data Transfer Impact Assessment is fundamentally about analysing the recipient country. For example, whether the laws allow the authorities of the recipient country to access the personal data in a way that is disproportionate, what rights the data subjects have under the recipient country's data protection legislation, whether the level of protection meets European requirements, etc.
Assessment
In order to minimise the risks associated with the transfer of personal data from the EU/EEA area to a third country, the company needs to take appropriate technical and organisational security measures. Which precise measures depend on a case-by-case basis. For example, it may be appropriate to log the processes more strictly than usual. Please note that the transfer is not allowed if the security measures are not sufficient.
Remaining risk
The last part of the Data Transfer Impact Assessment is about analysing what risk remains, after all the security measures taken by the company. Thereafter, the company can make a decision as to whether or not they can carry out the data transfer.
What consequences can companies have if they do not carry out a Data Transfer Impact Assessment?
The consequences depend on a case-by-case basis. However, it may result in an administrative fine, as it constitutes a breach of the GDPR. The amount also depends on the details of the situation and the size of the company. The maximum amount for serious infringements of the GDPR is 20 million euros or 4% of the total worldwide annual turnover (the highest of the options).
Data protection officer to be consulted when carrying out impact assessment
When carrying out an impact assessment, the company should always consult its data protection officer if the company has appointed one. This is stated in Article 35 of the GDPR. The DPO has an important role within the company, including being involved in impact assessments. Based on the Data Protection Officer’s tasks under Article 39 of the GDPR and supervisory and compliance practices following the Schrems II judgment, the company shall consult its Data Protection Officer also with regard to specific Data Transfer Impact Assessments.
Learn more
Risk assessment
Companies must carry out a risk assessment before starting a new processing of personal data. The same applies when the company introduces new technology and new systems at existing processes. The risk assessment is about analysing what risks and consequences the processing may lead to for the data subjects. In addition, the risk assessment shall analyse what measures the company can take to minimise the risks to an acceptable level.