Article 46 GDPR – data transfer impact assessment (DTIA)

What is a DTIA?

A DTIA is a process to evaluate the potential risks and implications of transferring personal data to a non-EEA country without an adequacy decision.

When do I need a DTIA?

A DTIA is required when you intend to transfer personal data to a destination jurisdiction that is outside the European Economic Area (EEA) and has no adequacy decision by the European Commission.

When is a DTIA not necessary?

A DTIA is not necessary if at least one of the following appropriate safeguards is in place:

• a legally binding and enforceable instrument between public authorities or bodies
• binding corporate rules in accordance with Article 47
• standard data protection clauses adopted by the Commission
• standard data protection clauses adopted by a supervisory authority and approved by the Commission
• an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights
• an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights 

If none of the listed safeguards are in place, it must be further examined whether one of the following derogations for a permissible transfer to a third country under Article 49 of the GDPR is met:

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
• the transfer is necessary for important reasons of public interest
• the transfer is necessary for the establishment, exercise or defence of legal claims
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
• the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case

Georgine Berger

“The content of a DTIA may vary based on the organization’s circumstances, the countries involved in the transfer, and the applicable data protection regulations.”

What is the penalty for not conducting a DTIA?

The fine for not conducting a DTIA when required, can be up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The specific penalties can be influenced by various factors, including the nature of the infringement, the cooperation of the organization, the measures taken to mitigate risks, and the previous compliance history of the organization. Each supervisory authority has the discretion to determine the appropriate penalty based on these factors.

FAQs

What is a data transfer?

A data transfer refers to the movement or transmission of data from one location, system, or medium to another. It involves the transfer of digital information from a sender or source device to a recipient or destination device. Data transfers can occur in various ways, including electronic transmission over networks such as the Internet, wired connections, wireless communication, or through physical storage media such as USB drives, hard drives, or DVDs.

When does a data transfer become problematic?

A data transfer is problematic, when personal data is being transferred to a third country and has no adequacy decision by the European Commission.

What is considered a third country?

A third country is any country outside the European Economic Area (EEA).

What is a data transfer to a third country?

A transfer to a third country takes place if either the establishment of the recipient or the place of processing is in a third country.

What is an onward transfer?

The rules on international data transfer also apply to the onward transfer of personal data from one third country to another.

Onward transfer from the first recipient to a third party are therefore subject to the same requirements as the original transfer to the first recipient.

Thus, the data transfer can take place directly or indirectly (e.g., onward transfer through the processor and its subprocessors).

Which countries are considered “safe third countries”?

Third countries that have an adequacy decision from the European Commission are considered “safe”. An adequacy decision allows for the free transfer of personal data to the respective third country without the need for an additional legal basis such as consent by the data subject. The following countries have an adequacy decision:

The United States, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay.