Data Transfer Impact Assessment

A Data Transfer Impact Assessment (DTIA) is a risk analysis that is needed when personal data are transferred to third countries. A DTIA is not an official GDPR document by itself, like the DPIA, but instead is usually part of, or a supplement to, a DPIA.

What is a third-country transfer?

In legal terms, a transfer exists when personal data controlled by one party are accessible to another, irrespective of whether the data are physically sent to that party. An international/third-country transfer exists when the party that can potentially gain access is based in a country outside the European Economic Area (EEA) which does not have an adequacy decision from the European Commission.

In GDPR terminology:

  • No transfer: a researcher who is connected to an EEA-organisation - and thus has to abide by the GDPR - accesses data that are stored at that EEA-organisation from a “non-adequate” country (provided safeguards are in place to prevent other parties from gaining access).
  • Third-country transfer: if personal data are stored at the servers of a non-EEA party, or uses a cloud provider that has servers both in- and outside the EEA.
  • No third-country transfer: the party with whom the data are shared is already subject to the GDPR (e.g., the party is situated in Germany or Italy).

Goal and content of a DTA

The goal of a DTIA is to:

  • assess the risks of:
    • the data receiver not being able to provide the promised level of protection.
    • local regulations preventing the removal or returning of the personal data after use.
    • local authorities accessing the personal data (il)legitimately.
  • determine the appropriate safeguards to protect the data during the transfer.

The DTIA should ideally contain:

  1. the context of the data transfer (which data are transferred, how, where?)
  2. under which safeguards (art. 46) the data will be transferred (e.g., Standard Contractual Clauses)
  3. how effective the safeguards will be (risk analysis)
  4. which additional safeguards are needed to ensure a sufficient level of data protection
  5. a final decision on whether or not the data can be transferred

As this is a relatively new topic in data protection land, please contact your privacy officer for assistance with a DTIA or for questions about third-country transfers .

Examples and templates