The purpose of this practical sub-module is to help entrepreneurs who export personal data carry out an analysis of the impact of the transfer of personal data to third countries.
Analysis of the impact of the transfer of personal data to third countries Eng. (Transfers Impact Assessment, TIQA) must be carried out by managers or processors acting as data exporters, with the help of data importers, before the transfer of data from a country in the European Economic Area (EEA) to a third country, in cases where this transfer relies on an instrument from the article 46. General regulations on data protection.
If the destination country is covered by the European Commission Adequacy Decision, the exporter is not obliged to carry out an impact analysis of the transfer of personal data to third countries. The same applies if the transfer is carried out on the basis of one of the derogations specified in Article 49 of the General Data Protection Regulation.
In cases where the transfer of data is necessary, the purpose of the TIA is to assess whether the importer will be able to fulfill its obligations as set out in the existing instrument of transfer, taking into account the legislation and practices of the third country of destination - in particular with regard to potential access to personal data by third party authorities country and document that assessment.
For this purpose, the exporter must assess the level of protection offered by local legislation and consider the practices of third country authorities in the context of the intended transfer.
The TIA should enable the exporter to assess whether the additional measures will enable the elimination of deficiencies identified in the area of personal data protection and ensure the level required under EU legislation.
Since the importer has much of the information needed for this assessment, his cooperation is essential for the implementation of the TIA. In the context of the relationship between the data controller and the processor and Article 28 of the General Data Protection Regulation, the processor is obliged to provide the specified information to the processor.