Transfer impact assessment – TIA
When you create a data recipient, you must answer whether a data recipient is in an insecure third country. If a data recipient is in an insecure third country, it is necessary to complete a TIA.
When working with data recipients, the column ‘Transfer impact assessment’ will show whether a risk assessment of data transfers to insecure third countries has been established. This will only be available to data recipients who are set to be in an insecure third country.
- The green check mark indicates that a TIA has been filled in and that the risk is low or very low.
- A yellow exclamation mark indicates that a TIA has been filled in, but that the risk is medium.
- This blue text box will appear in cases where a TIA remains to be filled in. How to complete this will be gone through below.
A red exclamation mark may also appear next to a data receiver, which will indicate that the risk is very high.
The initial filling of the formula
In the example below, it is assumed that the data recipient type is a data processor and the insecure third country that takes place transfer to is the United States. To open the form, press point 3 in the image above.
- This field is an introduction to the TIA to be completed. By clicking on this, you can read about why a TIA should be prepared and what a TIA is.
- Here you will be able to see which unsafe third country data is being transferred to. The country that is specified is the one you have filled in when you have created a data recipient and stated that there is a transfer to an unsafe third country.
- This lists all the work processes that either use the data recipient directly or indirectly. Any work processes created where the data recipient has been entered will automatically appear in this form. It is possible to click on the field, which will open information about the legal basis for each work process as well as what types of information are used for each work process.
- In this field you will find an overview of all the types of information used in connection with the data recipient. By clicking on the individual types of information, you will open a field where you can see exactly what information within the different categories is used.
You should now select the transfer basis. By clicking on the field, you can choose from the most common bases, but you can also select ‘other’, which will add a field where you will be able to choose from the other, less used options.
- Click here to see an overview of the most common transfer bases.
- Here you can choose between the different transfer bases by clicking on them.
- Click here if you want to see other transfer bases.
- You can click here to read more about each of the transfer bases.
Duration of the transfer
The duration you must specify covers how long the transferred information will be outside the scope of the GDPR. This varies greatly depending on whether it is a short processing such as email addresses for mail sending or long-term storage, such as in connection with hosting services.
This duration can be described in several ways. You can choose to set an end date when all data is deleted or withdrawn, or you can specify the criteria for when data is deleted.
If data is stored / processed indefinitely outside the scope of the GDPR, it is recommended to reconsider this and explore other possible solutions.
Please note that it is not the duration of the contract that is to be specified. A contract can be without an end date without the processing of data necessarily is too.
This field in the form will show, the security measures associated with the data recipient directly or in connection with some of the IT systems or work processes to which the data recipient is connected directly. This overview will be autogenerated from the other mappings created in the portal.
This means that these security measures do not necessarily cover all the security measures that apply to the individual data recipient. There is a free text field in the box below where it is possible to describe the additional security measures.
Based on this, you need to decide whether the security measures are sufficient to secure the data you send to the data recipient.
Here you need to specify which legislation in the receiving country may cause problems for the protection of data subjects’ rights.
Obligations of the data importer
Describe whether the data importer is obligated to notify the data exporter about unauthorised attempts at access as well as legally binding demands for disclosure from authorities.
You can advantageously click on the little blue ‘i’ next to the field and read more about the content of this field.
The data importer uses (sub-)processors
Here you must indicate whether the data importer uses sub-processors. By clicking on the field, you can choose between ‘yes’ and ‘no’. The use of sub-processors can complicate the process of making an adequate assessment of the real risks. To achieve the best possible result, it must be recorded whether the data importer uses sub-processors.
In the text box below, it can be described which sub-processors are involved, which countries they are in and how this affects the risk assessment in this TIA. In the case of many sub-processors, it is not necessary to mention them individually, but simply note how the large number affects the risk assessment.
A risk assessment of the data transfer must now be carried out.
- Consequences: To see how you assess the consequences, you can click on section 2, where a detailed explanation of what the different levels reflect is explained in more detail.
- This is an information box. Click this icon to open an in-depth field. The same applies to the calculation of the probability below.
- Use these buttons to set the level of consequences. When you click on the two buttons, you will be able to see the level you set, where the example says ‘missing assessment’. The same applies to the calculation of probability.
- Here is a free text field where you can write comments on the completion of the field.
- Probability: Here you need to evaluate the likelihood that unauthorized persons can access the personal data. The general procedures for processing personal data must be taken into account. If it is easy to access the information for unauthorized persons, it must be considered that the probability is high.
- In this field, an overall assessment of the risk is made. The overall assessment is autogenerated based on how the above two parts of the risk assessment are assessed.
- Here you can choose whether the risk is accepted or not.
Conclusion of the TIA
Finally, come up with an overall conclusion from the fields above. It must be decided whether it is justifiable to continue transferring data to the data importer or not. Here you can read an example of a concluding text:
In view of the above elements and parameters, the data exporter has chosen to continue to use the data importer as a provider. The known probability of disclosure/leakage of information must be considered relatively low, however, US authorities can, due to their legislation, access data. The type of data processed is of a general nature, which is why the consequences for the data subject must be considered minimal and within acceptable limits