Transfer Impact Assessment (TIA)

Transfer Description

Radio Buttons

Click to Refine with AI

AI

Is the data in question personal data?

yes

no

Art. 4 (1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

See additional resources here and here

Are the three criteria from the EDPB guidelines (5/2021) cumulatively present? Please check the applicable boxes:

a controller or a processor (exporter) is subject to the GDPR for the given processing

The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (importer)

the importer is in a third country (outside the EEA), irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Art. 3, or is an international organisation

Section

Transfer

Conclusion: There is a transfer of personal data because all three criteria described in EDPB Guidelines 5/2021 are satisfied.

No transfer

Conclusion: There is no transfer of personal data because all three criteria described in EDPB Guidelines 5/2021 are not present.

What is the qualification of the actor implicated?

Data Controller

Data Processor

Joint Controller

Consider Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Does the transfer comply with the principles of the GDPR and, particular, can you minimise the amount of personal data transferred or transfer anonymised data rather than personal data?

yes

no

Justify your answer

Consider all GDPR principles, especially the legal basis of the processing. Make sure the data is strictly necessary for the purposes for which it is transferred.

Can your data be transferred to a country that has been recognised by the European Commission as offering an adequate level of protection?

yes

no

Provide additional details

Transfers of personal data to countries that have been recognised by the European Commission as offering an adequate level of protection do not require the implementation of supplementary measures. If you are thus able to transfer personal data to such a country, this will ensure an adequate level of protection for the data in question. In this case, you will not need to carry out a TIA.

Please note that adequacy decisions may have a limited scope (for example, Canada's adequacy decision only applies to private sector organisations that process personal data in the course of commercial activities) or concern only certain self-certified entities in the concerned country (for example, self-certified entities under the adequacy decision for the United States). It is therefore up to you to check that the planned transfer is covered by the adequacy decision.

You should also bear in mind that adequacy decisions are subject to periodic review. You should therefore regularly check the list of countries that have been the subject of an adequacy decision in case new decisions have been adopted, or countries have been removed from the list.

See the full list of the countries covered bt an adequacy decision.