Transfer Impact Assessments Under the New SCCs: What You Need to Know
The New SCCs require organisations to undertake a transfer impact assessment before completing a transfer of personal data from within the European Economic Area to any third country. Read on to learn how to complete a transfer impact assessment:
Steps to Undertake a Transfer Impact Assessment
There are three essential steps you need to perform to undertake a transfer impact assessment:
Step 1: Know and Understand Your Transfer
To truly know and understand your transfer, you must know:
- Who is the data importer;
- What services the data importer provides;
- The nature of the processing activities the data importer will perform on your behalf;
- What categories of personal data are being transferred;
- Why the data is being transferred;
- Whether the data is encrypted or pseudonymised;
- If the data will be stored in or accessed by a third country;
- What protections the data importer has implemented.
Step 2: Consider the Laws in the Third Country
The GDPR requires that data being transferred out of the EU is protected by ‘essentially equivalent’ protections in the third country it is transferred to. A key part of this is identifying the mechanism being relied on to transfer the data. In many cases, this will be the European Commission’s SCCs.
The SCCs require:
The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. In this context, laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 should not be considered as being in conflict with the standard contractual clauses. The parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.
To achieve this in practice, organisations should assess the risk of lawful access to the data being transferred to a third country, including:
- Identifying the comprehensive data protection/privacy law (if any);
- Whether the data importer is contractually required to defend the personal data against access attempts;
- What the laws in the third country state about governmental access to imported data;
- Whether the objectives pursued by public authorities are necessary and proportionate;
- What oversight mechanisms exist in the third country;
- Whether individuals have effective legal remedies relating to their data;
- What notification requirements are in place;
- Whether individual rights to redress exist in the third country.
Step 3: Identify and Document the Safeguards
Wherever a risk exists that the data will be accessed in a third country, organisations must implement adequate safeguards against that risk. Where this is not possible, they must not complete the data transfer.
The safeguards can be technical, contractual, or organisational and may include:
- Deciding whether it is feasible for the data exporter to transfer personal data to a whitelisted country instead of a (less safe) third country;
- Ensuring the data is adequately protected using technical methods such as encryption and access control (amongst others);
- Requiring the data importer to supply certificates and/or reports relating to security and security breaches;
- Requiring that the data importer/processor take certain steps when hiring and training personnel who may access the data, such as background checks or annual privacy training; and
- Implementing cross-functional diligence requirements so third parties in third countries cannot transfer on personal data without first engaging in a transfer risk assessment and without first obtaining consent.
Finally, bear in mind that it is not sufficient to complete a transfer impact assessment once and rely on it into the future. You need to refresh the TIAs regularly since the laws of third countries are likely to change over time.
If you need help meeting your privacy and data protection obligations, reach out.