[Closed] Transfer Impact Assessment (TIA): the CNIL Consults You on a Draft Guide

08 January 2024

Organisations transferring personal data outside of the European Economic Area (EEA) must assess the level of data protection in the countries of destination and the need for the adoption of supplementary measures. In order to help them, the CNIL organises a public consultation on a draft guide until February 12th, 2024.

Guaranteeing the same level of protection as the GDPR for data transfers

Regardless of their status or their size, a large number of actors are concerned by the issue of transfers outside the European Economic Area (EEA). Technical developments in particular cloud services have increased the number of occasions on which personal data is processed in whole or in part in third countries that are not subject to EU law (especially the GDPR). However, in case of transfer, the data must continue to enjoy the same level of protection as the one afforded by the GDPR.

In its "Schrems II" ruling , the Court of Justice of the European Union (CJEU) emphasised the responsibility of exporters and importers to ensure that personal data is processed, and continues to be processed, in compliance with the level of protection set by the EU data protection legislation. According to the CJEU, exporters are also responsible for suspending the transfer and/or terminating the contract if the importer is not, or is no longer, in a position to comply with its personal data protection commitments.

Thus, exporters relying on Article 46.2 and 46.3 GDPR tools for their personal data transfers are obliged to assess the level of protection in the third country of destination of the data and the need to put in place additional safeguards.

Such assessment is commonly known as a Transfer Impact Assessment (TIA).

In line with the recommendations of the European Data Protection Board (EDPB) on additional measures supplementing the transfer instruments, the CNIL has developed this guide to help data exporters carry out their TIAs.

In which cases should an TIA be carried out?

A TIA must be undertaken by controllers or processors acting as data exporters, with the assistance of the importer, before transferring data from a European Economic Area (EEA) country to a third country where such transfer is based on an Article 46 transfer tool. Since the importer has a lot of information needed for this assessment, its cooperation is essential for the realisation of the TIA.

If the country of destination of the data is covered by an adequacy decision of the European Commission, the exporter is not subject to this obligation to carry out an TIA. The same applies if the transfer is carried out on the basis of one of the derogations listed in Article 49 of the GDPR.

What is the purpose of a TIA?

The TIA should enable the exporter to assess the level of data protection offered by local legislation and take into account the practices of authorities in the third country regarding access to transferred data. To this end, the TIA should make it possible to assess the existence in the country of destination of the essential European guarantees for surveillance measures as identified in the EDPS recommendations.

Where necessary, the TIA should also assess whether supplementary measures would make it possible to remedy the shortcomings identified and ensure the level of data protection required by EU legislation.

What are the objectives and scope of the TIA Guide?

This guide constitutes a methodology, a checklist, which identifies various elements to be considered when carrying out a TIA. It gives indications on how the analysis can be carried out by following the six steps set out in EDPB’s recommendations, and points to the relevant documentation. It does not constitute an evaluation of the laws and practices in the third country and risks related thereto.

The use of this guide is not obligatory. Other elements can be considered and other methodologies can be applied.

This guide is organised in six different steps to be followed to carry out a TIA:

  • Know your transfer
  • Document the transfer tool used
  • Evaluate the legislation and practices in the country of destination of the data and the effectiveness of the transfer tool
  • Identify and adopt supplementary measures
  • Implement the supplementary measures and the necessary procedural steps
  • Re-evaluate at appropriate interval the level of data protection and monitor potential developments that may affect it

What is the timing of the consultation and who can contribute to the consultation?

This public consultation will end on February 12th, 2024.

The CNIL would like to give as many people as possible the opportunity to take part in this public consultation, whether they are natural persons or legal entities, public or private actors. In particular, the CNIL wishes to mobilise all players who transfer data outside the EEA whether they have already carried out Transfer Impact Assessments or not.

Responses to the public consultation can be collective and can be consolidated through federations, associations, etc.

It is not necessary to comment on all the fiches in order to respond to the public consultation.

The public consultation is closed.

What are the next steps?

The contributions will be analysed at the end of the public consultation to allow the publication of the final guide on the CNIL website in 2024.