Regulating Data Protection for Systemic Safety | HCLTech

Regulating Data Protection for Systemic Safety
December 07, 2022

GDPR, DPIA, PIA, Schrems II, Privacy Shield, TIA - if you are even just remotely active in privacy, data management, GRC, IT, IS, marketing or HR, these acronyms have become part of your everyday language. Transfer Impact Agreement, TIA, is a relatively new addition to the collection of acronyms. But what is it?

The impetus to conduct a TIA comes from three legal authorities:

  1. European Court of Justice, ECJ
  2. European Data Protection Board, EDPB
  3. European Commission, EC

European Court of Justice

First, in the European Court of Justice’s Schrems II decision the ECJ stated that even when an organization uses a contractual mechanism provided for under the GDPR it is:

“…above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguard to those offered by those clauses.”

European Data Protection Board

Second, when the European Data Protection Board (EDPB) finalized its recommendations on data transfer tools, it recommended that before transferring personal data out of the EEA to a country that lacked an adequacy decision from the European Commission, a data exporter should assess, in collaboration with the importer (if appropriate) if there was

“…anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer.”

This means that in practice, for any data transfer out of the EU/EEA, you must do the following:

  1. Analyze the legislation of the data importer’s country.
  2. Identify if public authorities of the third country may seek access to the data with or without the data importer’s knowledge either via legislation, practice, or reported precedent.
  3. Identify if public authorities of the third country may be able to access the data through the telecommunication providers or communication channels considering legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedent.

European Commission

Based on Schrems II, the European Commission approved new standard contractual clauses which contained a requirement, within Clause 14, that for all transfers of personal information (regardless of whether they originate from, or are received by, a controller or a processor) the “Parties must:

” …warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer prevent the data importer from fulfilling its obligations under these Clauses.”

The data importer specifically warrants that it has:

“…made its best efforts to provide the data exporter with the relevant information.”

To complete the assessment, the Parties jointly agree to:

“…document the assessment and make it available to the competent supervisory authority on request.”

Appropriate safeguards for such transfers include:

  • Binding corporate rules (“BCRs”).
  • Standard data protection contractual clauses adopted by the European Commission (“SCCs”).

The new SCCs pertain to a broader range of scenarios and include provisions for processor-to-processor (“P2P”) and processor-to-controller (“P2C”), and effectively combine all four sets of clauses into one document, allowing controllers and processors to “build” the relevant agreement on a modular basis.

The new SCCs also address the Schrems II decision of the European Court of Justice, invalidating the EU-US Privacy Shield and placing additional administrative conditions on the use of SCCs.

All contracts using the old SCCs must be transitioned to the new SCCs by 27 December 2022.

Transfer Impact Agreement

The Transfer Impact Agreement, TIA, is a document in which you record your findings, what data are transferred, how data are treated and secured in transit and at rest, and if local public authorities may have access to the data. UK’s ICO have also entered the fray with Transfer Risk Assessment, TRA, but for now, let’s concentrate on TIA.

Seeing the questions asked, Transfer Impact Assessments are rather lengthy exercises. Even if it wasn’t mandatory, it’s a good exercise. You’ll get a good overview of your vendors and your data. And that’s always the best practice.

Below is a checklist, all the questions must be answered, assessed in detail, and exhaustively described.

For more information on How HCL can support the transfer impact assessments, please write to 

TIA Checklist

Data Importer

  • Who is the data importer?
  • What service does the data importer provide?
  • What processing activities does the data importer perform on your behalf?
  • What jurisdiction is the data importer in?

Identify the Data

  • What categories of personal data are being transferred?
  • Will the data be stored in the 3rd country?
  • Can data stored within the EU/EEA be remotely accessed?
  • Are the data stored in plain text, pseudonymized, or encrypted?

Transfer Context

  • Which Article 46 transfer mechanism under GDPR is being relied upon?
  • Will the 3rd party transfer the data in their turn e.g., to another country?
  • Is the transfer adequate, relevant, and limited to what’s necessary?
  • Does the data importer engage sub-processors to perform specific processing activities?
  • Does the data importer rely upon appropriate safeguards or a derogation?
  • How are the data secured in transit and at rest?

Third Country Assessment

  • Does the 3rd country’s legal system provide for the rule of law principle?
  • Does the 3rd country respect human rights and fundamental freedoms?
  • Is the 3rd country in a jurisdiction with comprehensive data protection/privacy laws?
  • Do the appropriate legal remedies exist for data subjects to exercise their rights?
  • Does the 3rd country’s data protection system contain safeguards for special categories of personal data?
  • Does the 3rd country have public security, defense, national security, and/or criminal laws enabling public authorities or law enforcement to access the transferred personal data?
  • Does the 3rd country have an independent supervisory authority?
  • Has the 3rd country signed any legally binding conventions or instruments? (e.g., Convention 108)
  • Does 3rd country provide an essentially equivalent level of data protection as guaranteed by the GDPR?

Re-Evaluating the Transfer

  • Based on the assessment, can the data transfer continue as planned?
  • If any question is answered in an unsatisfactory manner, do you intend to Implement supplementary measures?
  • Considering uncertainties related to problematic legislation, do you intend to suspend the transfer?
  • Have you documented policies and procedures in place to monitor developments in the 3rd country that could affect your initial assessment?
  • Do you have mechanisms in place to promptly suspend transfers if Article 46 GDPR cannot be upheld by the data importer?

Get HCLTech Insights and Updates delivered to your inbox