Want to have a Data Transfer Impact Assessment (DTIA) carried out?

The GDPR does not apply outside the EU. However, companies in the EU sometimes need to share personal data with a company outside the EU for their business activities. That company outside the EU can take on the role of (sub) processor or process the data as a controller. This is called transfer of personal data.

If personal data is shared outside the EU, the rights of data subjects may be harmed if it has not been established that the party outside the EU properly protects the personal data. The EU has assessed the legislation of several countries outside the EU as equivalent to the GDPR. It has been established for these countries that an adequate level of protection has been set up and the adequacy decision applies.

For the countries to which the adequacy decision does not apply, the European Data Protection Board (EDPB) has drawn up recommendations if personal data is transferred to a third country. The company will have to establish with the importing company on a case-by-case basis whether the legislation or practice of the third country compromises the adequate protection of personal data. This company can be both a controller and a processor. The controller always remains ultimately responsible and will have to verify that the processor has carried out the assessment correctly.

The EDPB has included a Data Transfer Impact Assessment (DTIA) in its advice, which consists of six steps.

In general, the steps consist of:

• Know what personal data you want to share with the importing company and whether the personal data is passed on by this company.
• Verification of the transfer instrument on which the transfer rests. The GDPR has four transfer instruments in Article 46. If an adequacy decision applies to the third country, the verification consists of establishing its validity.
• This step consists of checking whether there are aspects in the legislation and/or practices in force in the third country that may prevent adequate protection. In particular, government authorities in the third country may have granted themselves certain rights to access personal data.

• This is followed by the adoption and adoption of the additional measures necessary to bring the level of protection of the transmitted data up to the level of the EU standard of essential equivalence. This step is only necessary if step 3 has shown that legislation and/or practice do not offer sufficient protection.
• This is where the formal procedural steps governing the adoption of the additional measures are taken, depending on the transfer instrument. In this final step, the protection level is periodically re-evaluated.
• In this step, steps 1 through 5 are actually gone through again. The frequency depends on the risk, the size of the data exchange and the sensitivity of the personal data.