Transfer Impact Assessment (TIA): the CNIL publishes the final version of its guide

Guaranteeing the same level of protection as the GDPR for data transfer

Regardless of their status and size, a very large number of controllers and processors are concerned by the issue of data transfers outside the European Economic Area (EEA). The interpenetration of networks has multiplied the situations in which personal data are being processed in whole or in part in third countries that are not subject to EU law, in particular the GDPR, and may thus give rise to data transfers.

The principle established by the GDPR is that, in the event of a transfer, data must continue to enjoy protection substantially equivalent to that afforded by the GDPR. Chapter V of the GDPR contains specific provisions regarding data transfers. 

The “Schrems II” judgment of the Court of Justice of the European Union (CJEU) highlighted the responsibility of data exporters outside the European Economic Area (EEA) and importers in the country of destination. They must ensure that the processing is carried out, and continues to be carried out, in compliance with the level of protection set by EEA law. According to the CJEU, exporters also have the responsibility to suspend the transfer and/or terminate the contract if the importer is not, or is no longer, able to comply with its commitments on the protection of personal data.

The Transfer Impact Assessment

Thus, exporters relying on the transfer tools listed in Article 46.2 and 46.3 GDPR for their transfers have an obligation to assess the level of protection in third countries of destination and the need for additional safeguards.

Such an assessment is commonly referred to as a ‘Transfer Impact Assessment’ (TIA).

Following the recommendations of the European Data Protection Board (EDPB) on additional measures complementing transfer instruments, the CNIL has developed a guide to help data exporters carry out their TIAs.

In which cases should a TIA be carried out?

A TIA must be carried out by the exporter subject to the GDPR, whether controller or processor, with the assistance of the importer, before transferring the data to a country outside the EEA where that transfer is based on a tool in Article 46 of the GDPR (e.g., Standard Contractual Clauses, Binding Corporate Rules).

There are two exceptions to this requirement for the exporter:

• If the country of destination is covered by an adequacy decision of the European Commission
• If the transfer is made on the basis of one of the derogations listed in Article 49 GDPR.

What is the purpose of a TIA?

The objective of a TIA is to assess whether the importer will be able to comply with its obligations under the chosen tool taking into account the legislation and practices of the third country of destination – in particular as regards the potential access to personal data by authorities of the third country – and to document that assessment.

Where necessary, the TIA should also assess whether supplementary measures would address the identified data protection gaps and ensure the level required by the EU legislation. 

What are the objectives and scope of the TIA Guide?

This guide is a methodology that identifies the steps prior to carrying out a TIA. It provides guidance on how the analysis can be carried out following the steps set out in the EDPB recommendations and refers to the relevant documentation. It does not constitute an assessment of the law and practices in third countries.

The use of this guide is not mandatory, other elements may also be taken into account and other methodologies applied.

As regards the steps prior to carrying out a TIA, this guide is organised around the following questions:

1. Is there a transfer of personal data?
2. Is it necessary to carry out a TIA?
3. Who is responsible for the TIA?
4. What is the scope of the TIA, in particular considering onward transfers?
5. Is the transfer compliant with the principles of the GDPR?

As regards the implementation of the TIA, this guide is organised according to the six different steps to be followed in order to carry out a TIA:

1. Know your transfer
2. Identify the transfer tool used
3. Evaluate the legislation and practices of the country of destination of the data and the effectiveness of the transfer tool
4. Identify and adopt supplementary measures
5. Implement the supplementary measures and the necessary procedural steps
6. Reassess the level of protection at appropriate intervals and monitor potential developments that could affect it

Consult the guide

What are the main changes in the final version of the Guide compared to the version submitted for public consultation?

From December 2023 to February 2024, the CNIL submitted its guide for public consultation. The consultation received 34 contributions mainly from professionals in the sector (data protection officers, lawyers, consultants, heads of professional networks). They represent players of all sizes (French and international groups, small and medium-sized enterprises, professional networks/business federations, etc.) and from various sectors (banking/finance, insurance, transport, industry, digital/IT, cosmetics/health, local and regional authorities, etc.).

Those contributions enabled the CNIL to develop, in both form and substance, the final version of the guide and provide a number of clarifications on its content, and to consolidate, or adjust, certain reflections and analyses, in order to take into account, in particular, the latest opinions of the European Data Protection Board (EDPB).

A summary of the contributions with the CNIL's answers to the most complex remarks is published with the final version of the Guide.

Consult the summary of contributions