The purpose of this practical sub-module is to assist entrepreneurs who export personal data in carrying out the analysis of the impact of transferring personal data to third countries.
The analysis of the impact of transferring personal data to third countries (Transfers Impact Assessment, TIA) must be conducted by data controllers or processors acting as data exporters, with the assistance of data importers, before transferring data from the European Economic Area (EEA) to a third country, in cases where such transfer relies on an instrument under Article 46 of the General Data Protection Regulation.
If the destination country is covered by a European Commission Adequacy Decision, the data exporter is not obliged to conduct an analysis of the impact of transferring personal data to third countries. The same applies if the transfer is made based on one of the derogations listed in Article 49 of the General Data Protection Regulation.
In cases where data transfer is necessary, the purpose of the TIA is to assess whether the importer will be able to fulfill its obligations as stated in the existing transfer instrument, taking into account the legislation and practices of the destination third country - especially regarding potential access to personal data by authorities of the third country and to document this assessment.
For this purpose, the data exporter must assess the level of protection offered by local legislation and consider the practices of authorities in the third country in the context of the planned transfer.
The TIA should enable the data exporter to assess whether additional measures will enable the rectification of deficiencies identified in the area of personal data protection and ensure the level required by EU legislation.
As the importer possesses much of the information needed for this assessment, their cooperation is crucial for the implementation of the TIA. In the context of the relationship between data controllers and data processors and Article 28 of the General Data Protection Regulation, the data processor is obliged to provide the specified information to the data controller.
