ODO24 Logo
ODO24 Logo
ODO24 Logo

TIA calculator

Transfer Impact Assessment

Do you use cloud services? Are you part of an international capital group? Do you have a call centre or IT helpdesk outside the EU?

If so, you are probably transferring personal data to third countries. Use our calculator and assess the risks related to this. Check whether the security measures you apply are sufficient!

The CJEU judgment in Schrems II, which invalidated the so-called Privacy Shield, disrupted the plans of many companies sending data to the USA and other third countries. Data exporters (as we call organisations sending data outside the EEA) began to look for alternative solutions, often turning to standard contractual clauses (SCC).

In light of the aforementioned judgment, the SCCs alone are, however, insufficient. Data exporters should previously assess the planned transfer in terms of the law and practice in the recipient country (the so-called transfer impact assessment, TIA) to determine whether they are able to guarantee the security of the transferred data.

How to carry out this analysis? With our form it’s simple! All you need to do is fill in its three parts:

  1. the context of the transfer where you describe the planned operation in detail;
  2. data protection law and practice, where you will assess, inter alia, local data protection legislation and the practice of the local supervisory authority;
  3. the transfer risk where you assess the impact of the planned transfer on the rights and freedoms of data subjects.
1Transfer context
Who sends data outside the EEA – this will be your organisation
Indicate the process in which the transfer takes place. Refer to your record of processing activities/register of all categories of processing activities
Since when has the transfer been ongoing? When will it start?
Until when will the transfer last? Until when do you plan to send data? You may refer to the agreement with the data recipient
How do you send data to the recipient? Is it sensitive data? If so, what kind? Refer to your documentation, in particular the record of processing activities
Whose data are transferred? Do you process data of persons requiring special care (children, elderly persons, persons with disabilities, employees)?
Each processing activity must be based on specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. Indicate the purpose you have established; you will find it in the record of processing activities.
When starting an inventory of transfers, it is good to begin with a review of your resources and an analysis of which tools involve transfers. For example: if the organisation uses a cloud-based CRM, check in the privacy policy or in the agreement with the provider whether the provider and servers are in the EEA
This question allows a detailed assessment of the transfer context and the selection of appropriate supplementary measures – in the case of effectively anonymised data, further analysis steps are not required; in some jurisdictions access by authorities to encrypted data is prohibited; pseudonymised data may be anonymous for the recipient if they do not have access to the key allowing reversal of pseudonymisation. Plain text, in turn, involves a lack of safeguards.
To whom do you send personal data?
Indicate the name of the data importer
Data controller or processor?
What type of entity is the recipient; can they be classified as a protected recipient? Are they covered by professional secrecy (e.g. lawyer, doctor)?
Sector, e.g. real estate, legal services, telecommunications – this information may be useful in assessing the regulatory environment.
The country to which we send data, i.e. where the data importer is established or where it processes data.
The legal basis, i.e. the measures and safeguards indicated in Chapter V of the GDPR, i.e.:• a European Commission decision establishing an adequate level of protection,
• standard contractual clauses,
• binding corporate rules (BCR),
• approved codes of conduct and certification mechanisms,
• so-called ad hoc clauses and administrative arrangements,
• exceptions under Article 49 of the GDPR
Describe how you transmit data (e.g. by e-mail, air mail, FTP, dedicated tool). Describe what safeguards (technical and organisational) you apply and what the data recipient applies (e.g. end-to-end encryption, encryption at rest, restricted access to data, use of SFTP, establishment of a coordination team, additional contractual safeguards).
2Law and practice
The information on the third country law should be relevant, objective, reliable, verifiable, publicly or otherwise available. In practice, the primary source of jurisdiction-specific information should be a survey (reports, studies) sent by the data recipient indicating information relevant to the TIA. It is this that will be the basis for conducting the TIA. Examples of sources of knowledge:
- https://www.gov.uk/government/collections/human-rights-and-democracy-reports
- judgments of the ECtHR, judgments of the CJEU (Schrems II), decisions of supervisory authorities and judgments of national courts,
- guidelines and studies of WP29, EDPB (e.g. EDPB document "Government access to data in third countries"),
- https://www.coe.int/en/web/data-protection/reports-studies-and-opinions
- https://www.oas.org/en/iachr/reports/country.asp
- https://www.ohchr.org/EN/HRBodies/UPR/Pages/Documentation.aspx
- https://tbinternet.ohchr.org/_layouts/15/treatybodyexternal/TBSearch.aspx?Lang=en&TreatyID=8&DocTypeID=5
- https://globalprivacyassembly.org/wp-content/uploads/2020/10/Day-1-1_2a-Day-3-3_2b-v1_0-Policy-Strategy-Working-Group-WS1-Global-frameworks-and-standards-Report-Final.pdf
- https://www.afapdp.org/lafapdp/membres
- https://www.cnil.fr/en/data-protection-around-the-world
- reports of NGOs, international organisations,
- reports of chambers of commerce, consulting firms, law firms etc.,
- importer documentation – warrant canaries, reports (despite being explicitly indicated in EDPB Recommendations 01/2021, supervisory authorities may consider information about the absence of interference by authorities insufficient if the law guarantees such access).
Does the third country recognise privacy and personal data as protected goods? Are there regulations governing these issues?
The existence of laws alone does not guarantee protection. Unlawful states that do not respect human rights or lack independent judiciary will not guarantee adequate protection and enforceability of standard contractual clauses and other arrangements.
The existence of an independent supervisory authority (Article 52 of the GDPR and, among others, the CNIL tool: https://www.cnil.fr/en/data-protection-around-the-world will be helpful in the assessment) may significantly affect the possibility of disproportionate interference with individual rights and the assessment of compliance with personal data protection laws.
Members of the Council of Europe and other states may adopt Convention 108 or its updated version, the so-called Convention 108+ (see https://www.coe.int/en/web/data-protection/convention108/parties). In addition, there may be bilateral agreements (such as Privacy Shield).
The Russian Federation, despite leaving the Council of Europe, remains a party to Convention 108 as a non-member state of the Council of Europe, although there is no basis to assume that it will be respected by that country.
The answer may be extended to include other acts of international law, e.g. the Hague Convention on jurisdiction agreements.
On the basis of previous control questions, the exporter should be able to assess whether the rules comply with EU standards.
The EDPB uses the term "problematic provisions" (in our article, due to direct translation from the original: "problematic legislation"), which are regulations that: 1) impose obligations on recipients of personal data from the European Union or affect transferred data in a way that may breach the contractual guarantees of transfer tools concerning a substantially equivalent level of protection; and 2) breach the essence of fundamental rights and freedoms recognised in the Charter of Fundamental Rights of the European Union or go beyond what is necessary and proportionate in a democratic society to protect one of the important objectives also recognised in Union law or the law of EU Member States, such as the objectives listed in Article 23(1) of the GDPR.
It may turn out that despite recognising provisions as problematic, the exporter will consider that they do not apply or affect the given transfer. The exporter should therefore document how problematic legislation will not apply to the transfer/importer and consequently will not prevent the importer from fulfilling its obligations under the given safeguard.
3Access of special services to personal data in a third country
This question refers to the existence of clear, precise and accessible provisions of statutory rank that provide a basis for interference by authorities and establish minimum safeguards. Using the USA as an example, Section 702 FISA or Executive Order 12333 can be indicated, which however will not meet subsequent points of the test.
This question reflects the well-known principle of proportionality in data protection law, so our assessment will be similar to the balancing test, and therefore the necessity of the interference and its seriousness will need to be assessed in a similar way.
Necessary and proportionate will primarily be provisions giving data subjects appropriate guarantees and safeguards related to specifying clear criteria for authorities' access to data or ensuring judicial remedy and oversight of authorities' activities. The CJEU assessed such necessity and proportionality using US law in Schrems II
Under EU law, any interference with the right to privacy and data protection should be subject to an effective, independent and impartial system of oversight, which must be provided by a judge or other independent authority.
This means that on the basis of the information collected, it should be established whether any control exists over oversight measures and whether it is effective. In Schrems II, analysing the activities of civilian intelligence, the CJEU found that oversight is insufficient in the case of Section 702 FISA, and in the case of Executive Order 12333 there is no judicial oversight.
The last necessary European guarantee concerns the rights of data subjects to effectively pursue claims before an independent court or other authority.
For example, in Schrems II the CJEU pointed to the lack of rights granted to data subjects that could be enforced before a court, and the existence of the Privacy Shield Ombudsman does not allow an appeal remedy before a court or other body.
4Risk analysis

LEGEND

Based on the following legend, estimate the likelihood of a threat:

(1) low probability the materialization of a potential threat to the rights and freedoms of data subjects does not appear to be possible for the sources of risk selected;

(2) average probability the materialization of a potential threat to the rights and freedoms of data subjects seems difficult for the sources of risk chosen;

(3) high probability the materialization of a potential threat to the rights and freedoms of data subjects appears to be possible for the sources of risk selected;

(4) very high probability the materialization of a potential threat to the rights and freedoms of data subjects seems extremely easy for the sources of risk chosen.

Based on the following legend, assess the impact of the threat to the rights and freedoms of data subjects:

(1) low impact the data subjects will not be affected by the effects of the threat or will encounter minor inconveniences that they overcome without the slightest problems (time required to re-enter the data, impatience, irritation, etc.);

(2) medium impact – data subjects may encounter significant inconveniences that they will be able to overcome despite certain difficulties (additional costs, fear, misunderstanding, stress, minor physical injuries, etc.);

(3) high impact – data subjects may encounter significant inconvenience that they should be able to overcome, but with serious difficulty (financial fraud, being listed as unsupported customers at banks, property damage, loss of employment, lawsuits, deteriorated health, etc.);

(4) very high impacts data subjects may face significant or even irreversible consequences which they may not overcome (financial difficulties resulting, for example, from unpaid debt or incapacity to work, long-term psychological or physical injury, death, etc.).

Threat
Probability
Impact
Risk
5Test result
In view of the assessments they have made (e.g. context of processing, law and practice in the recipient country, access of special services to personal data), is the recipient able to provide a level of protection of personal data comparable to that of Europe?
Indicate and justify the decision taken by the administrator, including where the administrator has decided to transfer personal data to a third country despite a negative test result

Disclaimer

To obtain a meaningful result and risk assessment proposal, all calculator fields must be completed. Each aspect of personal data transfer should be analysed individually, in particular with regard to obligations under Articles 44-49 of the GDPR. For this reason, this calculator can serve at most as an auxiliary tool and cannot be the sole basis for decisions by any entity or person who uses the calculator at their own risk. ODO 24 sp. z o.o. is not liable to any entity or person for any indirect or direct consequences of using the calculator, in particular in the form of damages, liability to pay compensation or redress, imposed administrative fines, loss of profits or other adverse consequences.

TIA calculator icon

TIA calculator

What is a Transfer Impact Assessment (TIA) in the context of the GDPR?

A Transfer Impact Assessment (TIA), i.e. an assessment of the impact of a data transfer on the rights and freedoms of natural persons, is a process organisations must carry out to assess the risk associated with transferring personal data to third countries, i.e. outside the European Economic Area (EEA), on the basis of standard contractual clauses (SCC) and other safeguards under Article 46 of the GDPR. This requirement stems from the judgment of the Court of Justice of the European Union (CJEU) in the Schrems II case.

When should I carry out a transfer impact assessment (TIA)?

A Transfer Impact Assessment (TIA) should be carried out before the planned transfer of personal data to a third country, i.e. outside the European Economic Area (EEA), where that transfer is based on standard contractual clauses.

It is also recommended to carry out a TIA in the following cases:

When laws change in the third country: In such a case you should assess whether those changes affect the level of protection of personal data. When the context of the data transfer changes: If the context of the data transfer changes, e.g. the type of data being transferred changes, or the manner of their processing changes, you should carry out a new TIA.

Periodic review of the TIA is also recommended. The purpose of this activity is to verify whether the organisation is able to ensure the security of the transferred data and that the transfer complies with GDPR requirements.

How to carry out a transfer impact assessment (TIA) in accordance with the GDPR?

A TIA should be carried out in a systematic and detailed manner, taking into account the specific circumstances of the data transfer, including the nature, scope, context and purposes of the processing.

The basic steps to consider when conducting a TIA include:

  • Context of the transfer: The first step is to provide a precise description of the planned transfer. This should include information about the categories of data to be transferred, the purpose of the transfer, the parties involved in the transfer, and how the data will be processed and protected both during the transfer and after their disclosure to the third country.

  • Assessment of the law and practice of data protection in the third country: You should assess the local data protection laws in the third country, including privacy law, the rights of data subjects, and the practices of local supervisory authorities (if any). This assessment should also consider whether there are effective legal remedies in the third country that data subjects can use in the event of a breach of their rights.

  • Risk assessment of the transfer: Conduct a risk analysis assessing the potential impact of the planned transfer on the rights and freedoms of data subjects. The assessment should take into account both the likelihood and the potential severity of a breach.

  • Decision-making: Based on the above assessments, decide whether to carry out the data transfer. If the transfer can be conducted without exposing data subjects to a disproportionate risk to their rights and freedoms, it may proceed to the next step. Otherwise, consider changing the transfer plan or applying additional technical and organisational safeguards.

  • Documenting the TIA: All information and decisions related to the TIA should be properly documented. TIA documentation may be required in the event of an inspection by the supervisory authority as evidence of compliance with the GDPR.

  • Monitoring and updating the TIA: The TIA should be monitored and updated periodically, especially when any changes occur in the context of the data transfer or in the law of the third country.
What elements should I include in a Transfer Impact Assessment (TIA)?

As part of a TIA the organisation must assess various aspects of the data transfer, including:

  • What personal data are being transferred? How sensitive are they? How much of it is publicly available?

  • Where do these personal data originate from?

  • What technical measures are used to protect these data? For example, if customer‑managed encryption keys are used, the possibility of access to the data by authorities of the third country is limited.

  • What laws apply in the third country in this area? How are they applied in practice? How likely is their application in relation to the specific personal data transfer?

The TIA must take into account both the law and data protection practice in the third country, as well as the existence of an independent supervisory authority and any international obligations undertaken by the third country. The TIA should be monitored and updated on an ongoing basis in light of any changes in the law of the third country.

In this way the TIA enables organisations to carry out a more comprehensive and flexible risk assessment, rather than focusing solely on the laws in force in the third country. This also includes assessing the potential impact of the data transfer on the rights and freedoms of the data subjects.

What are the consequences of failing to carry out a Transfer Impact Assessment (TIA) when it is required?

Failing to carry out a required Transfer Impact Assessment (TIA) can lead to various consequences that may have a serious impact on an organisation's activities. Some of these are:

  • Data protection breaches: If personal data are transferred to a third country without an appropriate TIA, this may lead to data protection breaches, which may result in financial penalties and other consequences.

  • Financial penalties: The GDPR provides for substantial fines for breaches, including improper conduct of a TIA. Fines can amount to up to 20 million euro or 4% of the organisation's global annual turnover, whichever is higher.

  • Reputational damage: Organisations that do not comply with the GDPR may suffer serious harm to their reputation, which can lead to a loss of trust among customers and business partners.

  • Suspension of the data transfer: The supervisory authority may order the suspension of data transfers to a third country if it finds that an appropriate TIA has not been conducted. Such an order may disrupt the organisation's activities, particularly if the data transfer is key to its operations.
Does every organisation that transfers personal data to the USA have to carry out a Transfer Impact Assessment (TIA)?

For transfers based on the executive decision of 10 July 2023 issued pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, establishing an adequate level of protection for personal data under the EU‑US Data Privacy Framework, if data are transferred to entities certified under the DPF programme, carrying out a TIA will not be necessary.

However, if the DPF does not apply, then in accordance with the CJEU judgment in Schrems II, organisations are obliged to carry out a Transfer Impact Assessment (TIA) when data are transferred outside the European Economic Area (EEA) on the basis of standard contractual clauses (SCC).

How often should I carry out a Transfer Impact Assessment (TIA)?

There is no fixed standard for how often a TIA should be carried out. The decision on the frequency of conducting a TIA should be driven by several factors, including:

  • The volatility of the law and practice in the country to which the data are transferred.

  • Changes in the nature and scope of the data being transferred.

  • Changes in the measures applied to protect the data.

  • The frequency and scale of data transfers carried out by the organisation.

In practice this means that a TIA should be carried out whenever there is a material change in any of the above factors. Additionally, a TIA should be carried out on a cyclical basis, even if no significant changes have occurred, to ensure that the assessment remains up to date. The purpose of this measure is to verify whether the organisation is able to ensure the security of the data being transferred and that the transfer complies with the requirements of the GDPR.

What are the key differences between a Transfer Impact Assessment (TIA) and a Data Protection Impact Assessment (DPIA)?

A Transfer Impact Assessment (TIA) and a Data Protection Impact Assessment (DPIA) are two distinct processes required by the GDPR, which serve different purposes, have a different scope and different criteria.

  • Purpose: A DPIA aims to identify and minimise the risks associated with the processing of personal data, particularly in the case of new projects or technologies that may have a significant impact on the rights of the data subjects. By contrast, a TIA is used to assess the risks associated with the transfer of personal data to a third country, particularly in the context of protecting that data from access by the authorities of that country.

  • Scope: A DPIA covers the entirety of personal data processing within a given operation or system, whereas a TIA focuses on the aspect of transferring data outside the EEA.

  • Criteria: A DPIA examines various aspects of data processing, including the purpose of processing, the categories of data being processed, data security principles, etc. A TIA, on the other hand, concentrates on assessing the law and practice in the third country, the technical and organisational safeguards in place during the transfer, and the type and sensitivity of the data being transferred.

  • Legal basis for carrying out the assessment: A DPIA is required by Article 35 of the GDPR in cases where processing is likely to entail a high risk to the rights and freedoms of natural persons. The requirement to carry out a TIA derives, among other things, from Article 46(1) of the GDPR and the Schrems II judgment.

Regardless of the above, nothing prevents a TIA or the conclusions of a TIA from forming part of a DPIA.

How should a Transfer Impact Assessment (TIA) be documented?

There are no established standards for documenting a TIA. TIA documentation should be stored securely and be made available on request to the supervisory authority. Depending on the size and complexity of the organisation and the nature of the data, the documentation may take the form of a formal report or be part of a broader data and risk management document.

Are there any tools or templates that can help in conducting a Transfer Impact Assessment (TIA)?

An example tool that can help in conducting a Transfer Impact Assessment (TIA) is the TIA Calculator prepared by ODO 24.

It is important to remember that while tools and templates can facilitate the TIA process, they do not replace a comprehensive legal and technical assessment required for the proper conduct of a TIA. Conducting a TIA is a complex process that depends on the specific context of the organisation and the data being transferred. Therefore, organisations should consult data protection experts to ensure they carry out a TIA in compliance with legal requirements.

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.