Data Transfer Impact Assessment

On this page: data transfer, third-country transfer, sharing outside EU, EEA, risk assessment
Date of last review: 2023-02-14

A Data Transfer Impact Assessment (DTIA) is a risk analysis that is needed when personal data are transferred to third countries. A DTIA is not an official GDPR document by itself, like the DPIA, but instead is usually part of, or a supplement to, a DPIA.

Goal and content of a DTA

The goal of a DTIA is to:

  • assess the risks of:
    • the data receiver not being able to provide the promised level of protection.
    • local regulations preventing the removal or returning of the personal data after use.
    • local authorities accessing the personal data (il)legitimately.
  • determine the appropriate safeguards to protect the data during the transfer.

Content of a DTIA

The DTIA should ideally contain:

  1. the context of the data transfer (which data are transferred, how, where?)
  2. under which safeguards (art. 46) the data will be transferred (e.g., Standard Contractual Clauses)
  3. how effective the safeguards will be (risk analysis)
  4. which additional safeguards are needed to ensure a sufficient level of data protection
  5. a final decision on whether or not the data can be transferred

As this is a relatively new topic in data protection land, please contact your privacy officer for assistance with a DTIA or for questions about third-country transfers .

Examples and templates