Personal data protection: why a Data Transfer Impact Assessment should be part of your GDPR compliance

International data transfers in GDPR compliance are complex, as data are transferred to third countries outside the European Union (EU) or the European Economic Area (EEA). Suppose you are interested in personal data protection issues. In that case, you already know about the Schrems II decision, in which the Court of Justice of the European Union (CJEU) indicated that the level of protection of personal data transferred outside the EEA and EU should remain equivalent to that guaranteed in the EU and EEA (but does not necessarily have to be identical). That is, the transfer of personal data to third countries must maintain the level of protection of personal data.

In this article, using the example of Ukraine, we will consider the following:

• What is a Data Transfer Impact Assessment?
• Who are data importers and exporters, and how do these relate to controllers and processors?
• How does conducting a DTIA relate to GDPR compliance?
• Who is required to conduct a DTIA?
• What are the main steps in conducting a DTIA?
• What is the difference between a Data Transfer Impact Assessment (DTIA) and a Data Protection Impact Assessment (DPIA)?
• What should the DTIA note for transferring personal data from the EU to Ukraine?

What is a Data Transfer Impact Assessment?

The Data Transfer Impact Assessment (DTIA) assesses the risks that may arise when transferring personal data from one country to another, particularly outside the EU/EEA, if such third countries do not have an adequate decision.

And why is this a critical stage? Of course, to protect the rights and freedoms of individuals, particularly the privacy of personal data subjects.

In the case of transferring personal data outside the EU/EEA, it is worth paying attention to the Standard contractual clauses (SCCs), which were published by the European Commission in 2021. Two groups of SCCs were then adopted: the first concerned the relationship between controllers and processors to coordinate the approach to the transfer of personal data throughout the territory of the EU/EEA, and the second – the transfer of personal data to states outside the EU/EEA.

In this article, we will look at the second group, which concerns the international transfer of personal data and imposes the obligation to conduct a DTIA.

Who are data importers and exporters, and how do these relate to controllers and processors?

Data importers and exporters are terms used in the international transfer of personal data. Depending on the data transfer defined in the contract between the parties, the controller and the processor can be importers and exporters of personal data.

How does conducting a DTIA relate to GDPR compliance? 

In 2021, new Standard Contractual Clauses (SCCs) were adopted, which confirmed the need to conduct a DTIA before the international transfer of personal data if the importing country does not have an adequacy decision.

Thus, Clause 14 states that before entering into an SCC, the parties must assess whether the laws and practices of the third country (country of destination) applicable to the processing of personal data by the data importer may prevent compliance with the provisions of the protection of personal data. 

Who is required to conduct a DTIA?

When entering into an agreement on the international transfer of personal data and including the SCC in such an agreement, the parties must consider the laws and practices of the third country to provide an equivalent level of protection to that guaranteed in the EU and EEA.

However, it is the responsibility of the data exporter to assess the legislation of the third country. The data exporter should determine whether the country where the data importer is located has any rules and laws regarding data protection or whether there is a local data protection authority.

What are the main steps in conducting a DTIA? 

In general, the European Personal Data Protection Board (EDPB), in Recommendation 01/2020 on measures to ensure compliance with the level of EU personal data protection, described six steps related to Data Transfer Impact Assessment.

First, The EDPB advises being aware of all international data transfers to the territory of third countries. Mapping all personal data transfers is difficult, but it is essential to guarantee an equivalent level of protection.

The second step is to check the transfer tool (the transfer tool your transfer relies on) among those listed in Chapter V of the GDPR. Suppose there is an adequacy decision regarding a third country, which the Commission publishes on its official website. In that case, no further action should be taken regarding transferring personal data to such a country. The main thing here is to control that the decision on compliance remains valid.

Article 46 of the GDPR provides various transfer tools that can be used to export data to a third country. The most common tool is the use of SCCs.

The third step is an assessment of the third country’s laws and practices regarding protecting personal data. When conducting an assessment of data protection laws, it is possible to determine whether the chosen transfer tool provides an adequate level of data protection.

The next step may be to determine additional measures if it is found that the chosen means of transmission do not provide an equivalent level of protection. Other measures may have a technical and organizational nature (for example, the use of encryption and pseudonymization of data).

The fifth step is to put these additional measures into practice. After implementing your transfer tool and any relevant additional measures (if necessary), you can proceed with the data transfer.

And the sixth step is to regularly check for changes in laws and practices in the third country that may affect the data protection level determined based on the initial assessment.

What is the difference between a Data Transfer Impact Assessment (DTIA) and a Data Protection Impact Assessment (DPIA)? 

Despite the similarity in name, DTIA and DPIA are different procedures. The DTIA is conducted to assess the risks associated with the international transfer of personal data. In contrast, the DPIA assesses the risks associated with any processing of personal data within the European Union (when such processing may impair the protection of the rights of individuals).

You can read more about DPIA in this article.

What should the DTIA note for transferring personal data from the EU to Ukraine?

For example, a product IT company from the EU decided to outsource to a company from Ukraine to develop new software. For this, the company from the EU plans to transfer the personal data of its customers to developers from Ukraine to create a new product. In this case, the EU company (the data exporter) must conduct a DTIA to assess the possible data transfer risks to Ukraine.

To assess the risk factors in the case of data transfer to Ukraine, it is worth paying attention to such features as the probability of illegal access to personal data, the presence of an appropriate level of data protection and the general level of compliance with human rights in the state, as well as to analyze national and international judicial practice.

When analyzing the laws and practices applicable to personal data in Ukraine, pay attention to current international (applicable to Ukraine) and national laws, secondary regulations, relevant case law and recommendations in the field of data protection.

For instance, analyze the provisions of the Constitution of Ukraine and the Law of Ukraine “On the Protection of Personal Data”, as well as the provisions related to the protection of personal data contained in the Criminal, Criminal Procedure Codes, Laws of Ukraine “On the National Police”, “On the Security Service of Ukraine “, “On operational and investigative activities”, etc. In addition, analyze the cases of the Constitutional Court of Ukraine and the European Court of Human Rights regarding Ukraine.

Also, note the existence of an effectively functioning independent supervisory body or an official responsible for ensuring compliance with personal data protection rules. In Ukraine, this is the Ukrainian Parliament Commissioner for Human Rights.

Particular attention should be paid to the determination of the level of Ukraine’s fulfilment of international obligations and participation in international organizations regarding the protection of personal data, as well as to the assessment of the level of proportionality of state intervention, which is provided for by the legislation of Ukraine (in particular, laws that establish requirements for providing personal data to state authorities).

Conclusions

Therefore, the DTIA is a process that helps protect personal data when transferred internationally. DTIA must be carried out in detail and under established requirements. Insufficient risk assessment can lead to unauthorized access to personal data, violation of its protection or loss, which can cause negative consequences for the company’s reputation.

Our team of privacy lawyers will always help conduct the DTIA and solve other issues related to personal data protection.