Data Transfer Impact Assessment
A Data Transfer Impact Assessment (DTIA) is a risk analysis that is needed when personal data are transferred to third countries. A DTIA is not an official GDPR document by itself, like the DPIA, but instead is usually part of, or a supplement to, a DPIA.
What is a third-country transfer?
In legal terms, a transfer exists when personal data controlled by one party are accessible to another, irrespective of whether the data are physically sent to that party. An international/third-country transfer exists when the party that can potentially gain access is based in a country outside the European Economic Area (EEA) which does not have an adequacy decision from the European Commission.
In GDPR terminology:
- No transfer: a researcher who is connected to an EEA-organisation - and thus has to abide by the GDPR - accesses data that are stored at that EEA-organisation from a “non-adequate” country (provided safeguards are in place to prevent other parties from gaining access).
- Third-country transfer: if personal data are stored at the servers of a non-EEA party, or uses a cloud provider that has servers both in- and outside the EEA.
- No third-country transfer: the party with whom the data are shared is already subject to the GDPR (e.g., the party is situated in Germany or Italy).
Goal and content of a DTA
The goal of a DTIA is to:
- assess the risks of:
- the data receiver not being able to provide the promised level of protection.
- local regulations preventing the removal or returning of the personal data after use.
- local authorities accessing the personal data (il)legitimately.
- determine the appropriate safeguards to protect the data during the transfer.
The DTIA should ideally contain:
- the context of the data transfer (which data are transferred, how, where?)
- under which safeguards (art. 46) the data will be transferred (e.g., Standard Contractual Clauses)
- how effective the safeguards will be (risk analysis)
- which additional safeguards are needed to ensure a sufficient level of data protection
- a final decision on whether or not the data can be transferred
As this is a relatively new topic in data protection land, please contact your privacy officer for assistance with a DTIA or for questions about third-country transfers .