Transfer Impact Assessments were introduced in the Schrems II decision (decision of the Court of Justice of the European Union “CJEU” in the Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems). In the decision, the CJEU made clear that personal data exporters must evaluate on a case-by-case basis that adequate levels of privacy protection that are provided. This is a data Transfer Impact Assessment.
However, a broader assessment may be needed to properly evaluate the level of protection in the third country. This may include answering the following questions:
- What kind of data is being transferred? Is it of a sensitive nature? What is its origin?
- Are you taking/have you taken any measures (technical and organisational) to protect the data?
- What national laws, regulations or other rules apply in the third country? How are they exercised in practice, particurlarly in relation to your data?
Transfer impact assessment must be evaluated on an ongoing basis, and updated as needed.