Have a DTIA performed?
The General Data Protection Regulation (GDPR) is a legal system of agreements that stipulates when personal data may be processed and under what conditions. Companies that process personal data in the EU and companies from outside the EU that want to process personal data in the EU must (demonstrably) comply with the GDPR.
Within the EU, all companies are expected to comply with the GDPR. The management of the company is responsible and the data protection officers (DPO) and the Dutch Data Protection Authority have a supervisory task. A data subject can also hold a company accountable for the processing of their personal data and there is also the option of submitting a complaint to the Dutch Data Protection Authority (AP) or entering into civil proceedings before the court.
The GDPR does not apply outside the EU. However, companies in the EU sometimes need to share personal data with a company outside the EU for their business activities. That company outside the EU can take on the role of (sub) processor or process the data as a controller. This is called transfer of personal data.
If personal data is shared outside the EU, the rights of data subjects may be harmed if it has not been established that the party outside the EU properly protects the personal data. The EU has assessed the legislation of several countries outside the EU as equivalent to the GDPR. It has been established for these countries that an adequate level of protection has been set up and the adequacy decision applies.
For the countries to which the adequacy decision does not apply, the European Data Protection Board (EDPB) has drawn up recommendations if personal data is transferred to a third country. The company will have to establish with the importing company on a case-by-case basis whether the legislation or practice of the third country compromises the adequate protection of personal data. This company can be both a controller and a processor. The controller always remains ultimately responsible and will have to verify that the processor has carried out the assessment correctly.
What must you do before data may be passed on?
The EDPB has included a Data Transfer Impact Assessment (DTIA) in its advice, which consists of six steps. In general, the steps consist of:
- Step 1: Know which personal data you want to share with the importing company and whether the personal data will be passed on by this company.
- Step 2: Verification of the transfer instrument on which the transfer rests. The GDPR has four transfer instruments in Article 46. If an adequacy decision applies to the third country, the verification consists of establishing its validity.
- Step 3: This step consists of checking whether there are aspects in the applicable legislation and/or practices of the third country that could prevent adequate protection. In particular, government authorities in the third country may have granted themselves certain rights to access personal data.
- Step 4: This is followed by the determination and approval of the additional measures necessary to bring the level of protection of the data transferred to the level of the EU standard of essential equivalence. This step is only necessary if step 3 has shown that legislation and/or practice do not offer sufficient protection.
- Step 5: Here the formal procedural steps are taken that regulate the adoption of the additional measures, depending on the transfer instrument. In this final step, the protection level is periodically re-evaluated.
- Step 6: In this step, steps 1 to 5 are actually repeated. The frequency depends on the risk, the size of the data exchange and the sensitivity of the personal data.
The steps must be demonstrably recorded and accessible to the DPO and the supervisor.
Do you have questions or need an appointment?
The steps must be demonstrably recorded and accessible to the DPO and the supervisor. Especially if it is not often needed. We can support your company in carrying out DTIAs. We guide your company through all the steps and ensure proper documentation.
Feel free to contact us via +31 (0) 70 392 22 09 or firstname.lastname@example.org. Or contact our specialists below.