The transfer of personal data to third countries poses major challenges for companies. According to the GDPR, the level of data protection must also be maintained outside the European Economic Area (EEA). The French data protection authority CNIL has therefore developed guidelines for companies on how to carry out a necessary Transfer Impact Assessment (TIA). This procedure enables companies to assess the level of data protection in the recipient country and take appropriate protective measures.
When a transfer impact assessment is necessary
A Transfer Impact Assessment (TIA) is required if personal data is transferred to a third country and there is no general adequacy decision by the European Commission. Art. 46 of the GDPR requires that such a data transfer may only take place if appropriate safeguards are in place and enforceable rights and effective legal remedies are available to the data subjects.
Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) are particularly suitable guarantees. These contractual mechanisms are intended to ensure that the processing of personal data in the third country offers a level of protection comparable to that in the European Economic Area (EEA). However, the mere application of such mechanisms is not sufficient. Companies must check whether the third country can actually guarantee an adequate level of protection. In particular, the legislation there and the official access rights to the data must be analyzed.
Since the ruling of the European Court of Justice in the "Schrems II" case, it has been made clear that data exporters are responsible for a comprehensive assessment of the data protection framework in the recipient country. If an adequate level of protection cannot be guaranteed by standard contractual clauses or BCRs alone, additional measures must be taken. These can be of a technical, organizational or contractual nature, such as strong encryption techniques, pseudonymization or comprehensive audit and control mechanisms.
If it turns out that an equivalent level of protection cannot be achieved despite all measures, the shipment must not take place. Companies must also regularly check whether the framework conditions in the recipient country have changed and require a reassessment of the TIA. The obligation to carry out a TIA is only waived if the European Commission has issued an adequacy decision for the third country in question in accordance with Art. 45 GDPR or if one of the narrow exceptions in Art. 49 GDPR applies.
Reading tip: EU Commission publishes new FAQ on the Data Act - here's what it says!
Aim and scope of a transfer impact assessment
The main objective of a TIA is to assess compliance with the data protection obligations of the data importer in the third country and to ensure that the level of data protection corresponds to that of the EU. This includes a detailed examination of the regulatory framework, in particular the data protection laws and the possibilities for state authorities to access the transferred data. A central role is played by the analysis of whether the legislation of the third country is compatible with European data protection principles or whether there are risks that could lead to inadequate protection of personal data.
The assessment of a TIA comprises several aspects. First, the legal situation in the third country must be determined. This includes the existing data protection laws, the powers of the local data protection authorities and the enforceability of the rights of the data subjects. Secondly, the actual access possibilities of government agencies must be analyzed, particularly with regard to surveillance programs and legal obligations to disclose data. Thirdly, the effectiveness of the chosen transfer instrument, e.g. standard contractual clauses or binding corporate rules, must be examined. If these are not sufficient, additional protective measures must be taken.
Additional measures can be of a technical, organizational or contractual nature. Technical measures include strong encryption, anonymization or pseudonymization of data so that it cannot be read by unauthorized third parties. Organizational measures include the introduction of clear security guidelines, staff training and regular audits and checks. Contractual measures may include obligations on the part of the data importer to defend against government access and to inform the data exporter immediately of official requests.
Companies must carry out and document a comprehensive risk assessment. In addition, continuous monitoring is required in order to be able to react promptly to changes in legislation or official practice. If it turns out that an equivalent level of protection cannot be guaranteed, the transfer may not take place.
Here, the French data protection authority CNIL offers support for companies with its published guidelines. Companies are guided through a TIA in six steps, and tables provide support with the documentation.
Companies carry out a secure transfer impact assessment with these 6 steps
The CNIL defines six essential steps for a TIA:
- Knowledge about transferFirst of all, the type of transfer, the parties involved and the sensitivity of the data must be determined. For this purpose, the data categories, transmission paths and storage duration must be documented.
- Identification of the transfer instrumentThe legal basis for the transfer must be established. Standard contractual clauses or BCRs must be checked and correctly implemented.
- Evaluation of the destination countryThe legislation of the recipient country is analyzed. In particular, monitoring powers and possible interventions by authorities must be examined. Companies must also assess whether legal protection mechanisms exist for data subjects.
- Identification and implementation of additional measuresIf the third country's level of protection is inadequate, companies must take technical, organizational or contractual protective measures. These include encryption, pseudonymization and contractual obligations on the part of the data importer.
- Implementation of the supplementary measuresThe identified protective measures must actually be implemented and operationally enforced. This can be done through internal policies, training and regular audits. This will ensure that they are effective and that any obstacles (e.g. financial difficulties, unavailability of the relevant teams, etc.) are anticipated.
- Regular reassessmentThe legal framework and measures taken must be reviewed at regular intervals. If the legal situation or the practices of the authorities in the third country change, the TIA must be updated accordingly.
CNIL guide for TIA supports companies
The CNIL guidelines offer companies practical support for carrying out TIAs efficiently and meeting the data protection requirements of the GDPR. A key advantage is the structured approach, which gives companies a clear orientation when carrying out a TIA. This facilitates the identification of potential data protection risks and enables a targeted assessment of the data protection framework in the recipient country.
Another advantage lies in the practical applicability of the guidelines. Companies receive concrete instructions for the systematic analysis of the relevant legal, technical and organizational aspects. This helps small and medium-sized companies in particular, which may not have extensive data protection expertise, to ensure GDPR-compliant data transfer.
By detailing protective measures such as encryption, anonymization and contractual obligations of the data importer, the guide offers concrete recommendations for action. Companies can thus implement effective security measures to bring the level of data protection in the third country into line with the European level.
In addition, the CNIL's methodology facilitates the regular review and updating of the TIA. As the legal framework in third countries can change, the guide ensures that companies continuously adapt their measures and avoid potential compliance violations. This helps to reduce the risk of regulatory sanctions and strengthen the trust of business partners and customers in the handling of personal data.
Ultimately, the guide not only helps to fulfill legal obligations, but also improves the company's internal data protection strategy. Companies that apply the CNIL guidelines benefit from a systematic and efficient approach to international data transfer, which leads to a better data protection culture and more legal certainty in the long term.
Source: CNIL guidelines on transfer impact assessment
Do you still have questions about carrying out a TIA? Our experts will be happy to support you.
English 
German 
Italian 
French