Problem area in international data traffic

European data protection does not exactly make it easy for companies to send data to third countries. The Transfer Impact Assessment (TIA) is intended to help reduce the risks of a breach of EU data protection law.

The facts actually sound quite succinct: “Data transfers between EU member states and the contracting states of the European Economic Area (EEA) within the scope of the General Data Protection Regulation (GDPR) are to be treated in the same way as domestic data traffic under data protection law. For data transfers to third countries outside the EU and the EEA, the special conditions of Chapter 5 of the GDPR must also be met.”

This is stated in the information on “Data protection and telecommunications” published by the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Anyone looking for this Chapter 5 in the GDPR will find it under the heading “EU-GDPR: Transfer of personal data to third countries or international organisations”. Companies must therefore guarantee that they comply with the GDPR requirements for personal data. These often quite extensive questions should be answered in the “Data Transfer Impact Assessment” (DTIA) or “Transfer Impact Assessment” (TIA) (see also “Data Transfer Impact Assessment (TIA): But how?”).

Where to go with TIA?

Dr Markus Hülper, data protection expert at CLARIUS LEGAL, puts it in a nutshell: “The core of the problem is the transfer of personal data from the EU to ‘unsafe third countries’. According to ECJ case law, this ultimately requires a risk assessment of the data export to these countries. How this assessment is to be organised in detail has not yet been conclusively clarified.”

At least the EU member states have already agreed on the sanctions. “The European supervisory authorities may impose fines for violations of the General Data Protection Regulation (GDPR). These can amount to up to 20 million euros or, in the case of companies, up to 4 per cent of annual global turnover”, according to the press release “Uniform rules for data protection fines in Europe” from the German Federal Data Protection Commissioner.

Data means potential risks

As part of the risk assessment, companies must evaluate the level of data protection in third countries. However, it is questionable whether companies in Germany with their own employees can afford the detailed legal knowledge of local data protection law and the possibilities for government agencies to access the data.

The European Data Protection Board (EDPB) has published recommendations on exporting data to third countries in 2021. These provide for a very extensive and complex review process, which is virtually impossible for small and medium-sized enterprises (SMEs) to carry out in practice.

Finding the right answers

The problem should be solved quickly, as it is to be feared that many contracts could otherwise be cancelled. For example, data exporters from the EU sometimes make do with comprehensive questionnaires on the current status of data protection in the third country, which they send to the data importers. The response rate for such questionnaires is low due to the complexity of the questions. Companies are often unable to improve this unsatisfactory situation on their own. CLARIUS LEGAL’s proven experts in data protection provide support here.

Data Transfer Impact Assessment (TIA): But how?

There are no legal requirements as to how a TIA is to be carried out and documented. The data protection supervisory authorities also provide general information, but no template for implementation.

First of all, administrative data must be recorded and questions must be asked and answered, such as

The planned processing must then be described. Comparable to the information in the register of processing activities (Art. 30 GDPR) must be described:

In accordance with the Schrems II judgement, the legal situation in the third country must be assessed, i.e. whether the level of data protection in the third country is equivalent to the level of protection in the EU and whether data subjects have enforceable rights and effective legal remedies that meet the requirements of the GDPR and the EU Charter of Fundamental Rights. The questions to be answered therefore include, for example:

Does the third country or the region of the third country have legal regulations that serve data protection?
Do the rules apply equally to citizens or residents of the third country and to persons who are not citizens or residents of the third country?
Is the data importer subject to these laws?
Do these regulations also protect the data of the data exporter affected by the third country processing?
Do these rules grant enforceable rights and effective legal remedies to data subjects affected by third-country processing so that a level of protection exists in the third country which is equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter?
Do laws or practices exist in the third country that may force the data importer to grant third parties such as authorities access to the data?

Source: “Data processing in a third country: Data Transfer Impact Assessment (TIA) – an introduction to the topic“, Professional Association of Data Protection Officers in Germany (BvD) e. V.

In practice, this extensive catalogue demands a great deal of effort and detailed care from the companies concerned. Experienced personnel are required for this task. However, medium-sized companies in particular are likely to find it difficult to assign their own employees to this extensive, highly specialised task. In addition, uncertainty prevails, especially in legally critical areas. Many companies therefore rely on external support to help them solve their problems with the Data Transfer Impact Assessment. If you would also like to rely on proven and experienced data protection expertise, please send us a non-binding enquiry.