Transfer of Personal Data Between the EU and the UK Under the GDPR

Transfer of Personal Data

Share This Post

International Data Transfer Impact Assessment Under EU GDPR & UK GDPR

Transfers of Personal Data Under EU GDPR

Articles 44 to 50 of the GDPR address the transfer of personal data to third parties or international organizations. The “Adequacy Decision” of the European Commission is the first place to look to determine the legality of an ongoing international personal data transfer.

Without an adequacy decision, the controller or processor must take steps to make up for the lack of data protection in a third country by providing the data subject with suitable protections. The adoption of binding corporate rules, standard data protection provisions issued by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses approved by a supervisory body are a few examples of acceptable measures.

What Is Transfer Impact Assessment – TIA?

In the field of privacy, “Transfer Impact Assessment” (TIA) is a relatively new concept. Clause 14 of the new standard contractual clauses (SCC), which were released by the European Commission in June 2021, establishes the requirement to carry out a TIA.

In personal data transfer processes, a TIA is an evaluation of the effect and security implications of a transfer to a nation outside the EEA that is not the subject of an adequacy decision by the Commission by a data controller or data processor.

A transfer impact assessment (TIA) should be carried out by organizations to evaluate:

  • The availability of access requests by third-country government agencies,
  • The third country’s legal system,
  • The third country’s actual implementation of its legal system,
  • If organizations have the ability to reject government access requests,
  • If legally binding international agreements (such as Convention 108) have been signed,
  • If a separate supervisory authority for privacy and data protection has been established,
  • If there are legal remedies available to data subjects and the extent to which these remedies extend beyond national borders.

In personal data transfer processes, a TIA can assist organizations in determining whether the transfer tool they are relying on will be effective in the transfer’s specific circumstances but it will also highlight any additional steps that may be required to guarantee a roughly equivalent level of data protection to that found under the GDPR.

United Kingdom – UK GDPR

You must conduct a risk transfer assessment if you are depending on the Article 46 transfer mechanism. This risk assessment will assist you in determining whether the pertinent protections for individuals under the UK data protection framework will be compromised given the transfer circumstances and the implementation of your selected Article 46 transfer mechanism.

What is a Transfer Risk Assessment – TRA?

By conducting a TRA, you may be sure that the Article 46 transfer mechanism will offer the necessary protections and effective, enforceable rights for persons in the particular circumstances of your restricted transfer.

There are two main categories of risk that your TRA must take into account:

• Threats to individuals’ rights in the destination countries posed by third parties who have access to the information but are not subject to the Article 46 transfer procedure, particularly governmental and public institutions,

• Threats to people’s rights resulting from challenges enforcing the transfer process described in Article 46.

When Should You Carry out a TRA?

If you are performing a restricted personal data transfer and want to use one of the Article 46 transfer methods, including the IDTA, Addendum, or BCRs, you must perform a TRA.

See also; EU Corporate Sustainability Reporting Directive

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847


You can contact us for more detailed information within the scope of our GDPR Compliance Services.

Contact Us

More To Explore

EU Corporate Sustainability Reporting Directive
Latest Development

EU Corporate Sustainability Reporting Directive

EU corporate sustainability reporting directive adopted. Council gives final green light to corporate sustainability reporting directive. The Council gave its final approval to the corporate

Cyber Resiliance Act
Latest Development

Cyber Resilience Act

In an effort to establish uniform cybersecurity rules for connected devices and services, the European Commission issued the Cyber Resilience Act (CRA) on September 15.