GDPR, DPIA, PIA, Schrems II, Privacy Shield, TIA - if you are even just remotely active in privacy, data management, GRC, IT, IS, marketing or HR, these acronyms have become part of your everyday language. Transfer Impact Agreement, TIA, is a relatively new addition to the collection of acronyms. But what is it?
The impetus to conduct a TIA comes from three legal authorities:
- European Court of Justice, ECJ
- European Data Protection Board, EDPB
- European Commission, EC
European Court of Justice
First, in the European Court of Justice’s Schrems II decision the ECJ stated that even when an organization uses a contractual mechanism provided for under the GDPR it is:
“…above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguard to those offered by those clauses.”
European Data Protection Board
Second, when the European Data Protection Board (EDPB) finalized its recommendations on data transfer tools, it recommended that before transferring personal data out of the EEA to a country that lacked an adequacy decision from the European Commission, a data exporter should assess, in collaboration with the importer (if appropriate) if there was
“…anything in the law and/or practices in force in the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer.”
This means that in practice, for any data transfer out of the EU/EEA, you must do the following:
- Analyze the legislation of the data importer’s country.
- Identify if public authorities of the third country may seek access to the data with or without the data importer’s knowledge either via legislation, practice, or reported precedent.
- Identify if public authorities of the third country may be able to access the data through the telecommunication providers or communication channels considering legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedent.
European Commission
Based on Schrems II, the European Commission approved new standard contractual clauses which contained a requirement, within Clause 14, that for all transfers of personal information (regardless of whether they originate from, or are received by, a controller or a processor) the “Parties must:
” …warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer prevent the data importer from fulfilling its obligations under these Clauses.”
The data importer specifically warrants that it has:
“…made its best efforts to provide the data exporter with the relevant information.”
To complete the assessment, the Parties jointly agree to:
“…document the assessment and make it available to the competent supervisory authority on request.”
Appropriate safeguards for such transfers include:
- Binding corporate rules (“BCRs”).
- Standard data protection contractual clauses adopted by the European Commission (“SCCs”).
The new SCCs pertain to a broader range of scenarios and include provisions for processor-to-processor (“P2P”) and processor-to-controller (“P2C”), and effectively combine all four sets of clauses into one document, allowing controllers and processors to “build” the relevant agreement on a modular basis.
The new SCCs also address the Schrems II decision of the European Court of Justice, invalidating the EU-US Privacy Shield and placing additional administrative conditions on the use of SCCs.
All contracts using the old SCCs must be transitioned to the new SCCs by 27 December 2022.
Transfer Impact Agreement
The Transfer Impact Agreement, TIA, is a document in which you record your findings, what data are transferred, how data are treated and secured in transit and at rest, and if local public authorities may have access to the data. UK’s ICO have also entered the fray with Transfer Risk Assessment, TRA, but for now, let’s concentrate on TIA.
Seeing the questions asked, Transfer Impact Assessments are rather lengthy exercises. Even if it wasn’t mandatory, it’s a good exercise. You’ll get a good overview of your vendors and your data. And that’s always the best practice.
Below is a checklist, all the questions must be answered, assessed in detail, and exhaustively described.
For more information on How HCL can support the transfer impact assessments, please write to
TIA Checklist
Data Importer |
|
Identify the Data |
|
Transfer Context |
|
Third Country Assessment |
|
Re-Evaluating the Transfer |
|