The introduction of the new, modernized Standard Contractual Clauses (also known as SCCs) in June this year, poses some extra challenges for many organizations. The update of the SCCs entails, amongst other things, that a mandatory Transfer Impact Assessment must be performed before personal data can leave the European Economic Area. The purpose of this assessment is to identify and mitigate privacy risks in these international data transfers.

In practice, a lot of organizations tend to find conducting a TIA challenging. They do, however, see it as a priority in order to comply with the deadline set by the European Commission for the new SCCs.

This article will show you that conducting a TIA does not have to be an insurmountable task and will explain more about the most important key concepts and several hurdles you may encounter. This article will teach you how to perform a TIA so that your organization can comply with the new SCCs, before the deadline set by the European Commission.

What is an international transfer?

Whenever personal data flows from the European Economic Area (hereinafter: EEA), which consists of the European Union, Iceland, Norway, and Liechtenstein, to countries outside the EEA. These countries outside the EEA are also called ‘third countries’.[1]

When personal data are transferred outside the EEA, it is important to make sure that the same level of protection, as afforded in the Member States in the EEA, applies in the third country. For example, if you are transferring personal data from Germany to the US, it is important that the same level of protection also applies in the US.

Lastly, you should also always have a legal transfer mechanism in place for international data transfers. There are various transfer mechanisms, such as adequacy decisions, binding corporate rules and SCCs. In case the European Commission grants an adequacy decision[2], a TIA is not required, since the country’s level of data protection is considered to be adequate. However, one of the most common used mechanisms are SCCs, in which it is always mandatory to conduct a TIA.

In practice, we see that transfers to non-adequate countries will almost always require use of the SCCs as the only available transfer mechanism. This is why it is also necessary to understand more about SCCs.

What are SCCs?

SCCs are one of the most common used transfer mechanisms. These are standardized and pre-approved model data protection clauses.[3] Over the last years, the SCCs have changed. Max Schrems challenged the validity of the Safe Harbor and the Privacy Shield and was successful in both instances.[4]

As a result of the invalidation of the Privacy Shield, the European Court of Justice indicated that an assessment of the international data transfer has to be conducted, and in certain instances supplementary measures be implemented. The European Commission has confirmed what the European Court of Justice ruled in the Schrems II decision, namely that conducting TIAs is an obligation under the new SCCs.[5]

The new SCCs have been introduced as an update. It is important to understand that these new SCCs have consequences for both the data exporter and data importer. The data exporter is the organization that sends the data, and the data importer is the organization that receives the data.

There is also an implementation period. Up until 27 September 2021 you were able to conclude the old SCCs, but from that date the new SCCs are to be concluded. The new SCCs also introduced an 18-month transition period and organizations have until the 27^th of December 2022 to update the old SCCs to the new SCCs.[6]

It is also important to note that the aspects of hierarchy and liability are also applicable. Regarding the hierarchy, a dispute between the SCCs and other agreements that have been concluded, such as a Master Services Agreements, will result in the SCCs trumping the other agreements. Regarding liability, if the data importer is located in the third country, they will not be able to exclude or exempt all their liability. In that case both the data importer and data exporter will have liability.

If you want to learn more about the new SCCs, you can watch our previous webinar on SCCs on our website: Schrems II: the implications of the new Standard Contractual Clauses.

Now that it is clear what an international data transfer is, and what the new SCCs entail, one can learn more about the TIA itself.

What is a TIA?

A TIA is a tool that enables an organization to assess the risks involved when sending data internationally. At the moment, the TIA is form free, although the EDPB provided draft guidelines on how to conduct a TIA and what supplementary measures can be implemented to mitigate risks.[7]

It is important to note that if the supervisory authority contacts either the data importer or the data exporter to review the TIA that has been conducted for the transfer, it must be provided. This is in line with the accountability principle under the GDPR that requires organizations to document their GDPR compliance.[8]

How should you conduct a TIA?

To conduct a TIA, you should take the following steps:

Step 1: Collect information on the applicable processing activity.

Step 2: Verify whether there are any onward data transfers to sub processors.

Step 3: Assess a third country’s level of privacy protection.

How should I manage the TIA project?

Before you can start conducting TIAs, you must realize you need to have all essential elements in place. First and foremost, budget and time must be available. A CEO sign-off is therefore recommended before starting your TIA project.

After this sign-off, it is important to know whether there is a DPO or a privacy officer that you can consult. If not, it must be determined who in the organization is responsible for conducting the TIA. A crucial element in this role is that this person should have decent knowledge on EU privacy laws and regulations, including the GDPR.

To identify all of your organization’s international data transfers, the records of processing activities are a good place to start, as you have to create an inventory of all of your organization’s non-EU vendors. In case you do not have a (complete) record of processing activities yet, you should take into account that this might be a time-consuming process.

Once you have listed the international data transfers, you will have a clearer picture of all your data exporters and data importers, and who should be contacted for assistance with conducting the TIA. Please note that this project cannot be accomplished alone, and both the data importer and data exporter are responsible for providing the necessary information.

Therefore, it is recommended that the parties make agreements about each parties’ contribution and the set deadlines.

What challenging hurdles can be encountered?

However, we are aware that not everything goes according to plan and sometimes you have to be pragmatic in your approach. There may be challenging hurdles you may encounter, such as not having the right expertise. This is understandable, as most organizations do not have the luxury of having employees who are 100% focused on data privacy activities. If you are aware that you need support, it is recommended to contact data privacy professionals for assistance in conducting the TIA.

Another hurdle is having no budget and/or time. Please note that you always need a budget to conduct a decent TIA. If your organization chooses not to provide a budget for TIAs, they should be aware of the financial consequences this could have for the organization. Think of fines by the supervisory authorities, reputational damage, and possible legal action against the organization.

Furthermore, there can be no response from the other party. Unfortunately, we notice that not all parties respond to our requests to complete the TIAs together. In that case, one or two follow-ups should be sent. But if they still do not respond or send you limited information, you basically have two options:

• The lack of information is a clear risk in the TIA. You can therefore complete the TIA as much as possible and let the CEO decide whether the risk is accepted or not; or
• You should consider an alternative vendor to avoid risks.

Lastly, there can also be confusion regarding roles. Organizations often try to provide the new SCCs on their website. However, it is not recommended to just accept the new SCCs because the SCCs that are uploaded may differ from the roles that are actually present in your data transfer.

Conclusion

All in all, conducting TIAs does not have to be such a challenging task. If an organization understands how to identify an international data transfer, how to deal with the new SCCs, knows what a TIA should consist of, and how to manage a TIA project and the accompanied hurdles, the organization is ready for conducting successful TIA projects.

At DPO Consultancy, we have developed a TIA template that allows organizations to conduct TIAs more efficiently and easily. If your organization needs any support on TIAs, the new SCCs, or the GDPR in general, please contact us via: info@dpoconsultancy.nl.

[1] Article 44-50 GDPR.

[2] Article 45 GDPR.

[3] Article 46(2)(c) GDPR.

[4] C‑362/14 Maximillian Schrems v Data Protection Commissioner; C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

[5] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

[6] https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.

[7] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0.

[8] Article 5(2) GDPR.