Managing transfer impact assessments in practice
Many companies overlook that transfer mechanisms, such as standard contractual clauses, don’t work on their own. Before transferring personal data outside the EU, you must complete a transfer impact assessment (TIA). Depending on the outcome of the assessment, supplementary measures may be required to support the transfer.
In 2020, the European Court of Justice emphasised that the level of protection under the GDPR follows the data, even when it travels. When data is transferred to a third country, the transfer must not undermine the protection. Instead, the data must be guaranteed a level of protection that is “essentially equivalent” to that within the EU.
This means that standard contractual clauses and other transfer tools can’t stand alone. Data exporters must first check whether the rules and practices in the destination country will undermine the safeguards under the tool. That is done by completing a TIA, which consists of four steps:
- Map your transfer
- Verify the transfer tool you rely on
- Assess the rules and practices in the destination country
- Identify and adopt supplementary measures, if relevant
If the destination country doesn’t provide a level of protection, the transfer can’t proceed until supplementary measures are in place. If no suitable measures exist, the transfer must be avoided, suspended, or terminated.
IUNO’s opinion
Assessing a third country’s laws and practices can be difficult. It’s often best to involve your data importer in the process. They can help by sharing relevant legal sources, input on local practices, and examples or statistics of practical experience.
Supplementary measures can take various forms. Ideally, your company should combine technical, contractual, and organisational safeguards. Technical measures can involve encryption, pseudonymization, or split processing. Organisational and contractual measures can be internal policies, transparency measures, or an obligation to disclose laws.
[The European Court of Justice in case C-311/18 of 16 July 2020]
In 2020, the European Court of Justice emphasised that the level of protection under the GDPR follows the data, even when it travels. When data is transferred to a third country, the transfer must not undermine the protection. Instead, the data must be guaranteed a level of protection that is “essentially equivalent” to that within the EU.
This means that standard contractual clauses and other transfer tools can’t stand alone. Data exporters must first check whether the rules and practices in the destination country will undermine the safeguards under the tool. That is done by completing a TIA, which consists of four steps:
- Map your transfer
- Verify the transfer tool you rely on
- Assess the rules and practices in the destination country
- Identify and adopt supplementary measures, if relevant
If the destination country doesn’t provide a level of protection, the transfer can’t proceed until supplementary measures are in place. If no suitable measures exist, the transfer must be avoided, suspended, or terminated.
IUNO’s opinion
Assessing a third country’s laws and practices can be difficult. It’s often best to involve your data importer in the process. They can help by sharing relevant legal sources, input on local practices, and examples or statistics of practical experience.
Supplementary measures can take various forms. Ideally, your company should combine technical, contractual, and organisational safeguards. Technical measures can involve encryption, pseudonymization, or split processing. Organisational and contractual measures can be internal policies, transparency measures, or an obligation to disclose laws.
[The European Court of Justice in case C-311/18 of 16 July 2020]
Similar
Secret audio recordings of conversations led to serious criticism
Updated guidelines regarding breaches of data security
New rules on CCTV monitoring
The new NIS 2 Act has entered into force
New draft bill to protect against misuse of deepfakes
New rules on responsible use of AI have entered into force