Pursuant to the Regulation UE 2016/679, commonly known as the General Data Protection Regulation (“GDPR” or “Regulation”), entities engaged in transferring personal data outside of the European Economic Area (“EEA”) must assess the level of data protection in the countries of destination and the necessity for implementing additional protective measures. In order to facilitate this process, the Commission Nationale de l'Informatique et des Libertés (“CNIL") has released a preliminary version of the “Draft Practical Guide – Transfer Impact Assessment” for public consultation until February 12th, 2024 (the “Guide”). This Guide has been drafted following the European Data Protection Board’s (“EDPB”) Recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, adopted on June 18th, 2021, with the aim of supporting the preparation of Transfer Impact Assessment (“TIA”) for exporters of personal data. Context The concern of data transfer affects a broad spectrum of controllers and processors, irrespective of their nature (public or private, profit or non-profit) and scale (from multinational enterprises to small/medium-sized businesses and individual professionals). The proliferation of cross-border services, especially cloud-based solutions, has expanded the scenarios in which personal data is processed entirely or partially in third countries not governed by the GDPR. This situation necessitates data transfers under specific conditions outlined in Articles 44-49 of the GDPR. As a general rule, the GDPR provides that the transfer of personal data outside the EEA is forbidden unless the third country ensures an adequate level of protection as the one afforded by the GDPR. To this end, Article 45 of the GDPR provides that a transfer of personal data to countries outside the EEA may take place where the European Commission has decided – with an adequacy decision – that the third country in question ensures an adequate level of protection of personal data. In the absence of such decision, Article 46 of the GDPR stipulates that data transfer to a third country may occur only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In this regard, the tools that may constitute “appropriate safeguards” are, by way of example and not limited to, the binding corporate rules (“BCR”) and the standard contractual clauses (“SCC”). Finally, Article 49 of the GDPR provides certain derogations, such as the consent of the data subject, which allow the transfer of personal data in the absence of an adequacy decision or appropriate safeguards. Notwithstanding the above, the Court of Justice of the European Union (“CJEU”), with its ruling “Schrems II”[1], has also emphasized the responsibility of exporters and importers to ensure that personal data is processed, and continues to be processed, in compliance with the level of protection set by the EU data protection legislation. This responsibility includes suspending the transfer and/or terminating the contract if the importer is not, or is no longer, in a position to comply with its personal data protection obligations. Cases where a TIA should be carried out A TIA is required when controllers or processors, acting as exporters, plan to transfer personal data from an EEA country to a third country using tools under Article 46 of the GDPR. The obligation to conduct a TIA does not apply if the data is destined for a country with an adequacy decision or if the transfer falls under the derogations in Article 49. The purpose of the TIA The TIA aims to assess the level of adequacy of data protection guaranteed by local legislation and practices of the third country of destination and take into account the practices of authorities in the third country regarding the access to the transferred data. Where necessary, the TIA should enable the exporter to assess whether supplementary measures would make it possible to remedy the shortcomings identified and ensure the level of data protection required by EU legislation. In order to carry out the TIA, the cooperation between the importer and the exporter is essential considering the amount of information that the importer has at its disposal. Moreover, such cooperation, Purpose and Implementation of the Guide As clarified by the CNIL, the Guide constitutes a methodology and, more specifically, a checklist for the exporters, which identifies various elements to be considered when carrying out a TIA. In fact, the Guide provides indications on how the analysis can be carried out by following the six steps set out in EDPB’s recommendations and refers to the relevant documentation. In particular, the steps are the following: It should be noted that the use of the Guide is not mandatory for the exporter and that it does not constitute an evaluation of the laws and practices in the third country and risks related thereto. Conclusion The CNIL promotes a dynamic approach in managing cross-border data transfer operations, emphasizing the responsibility of conducting TIAs to ensure adequate protection. Notwithstanding the Guide is still under public consultation until February 12th, 2024, the TIA methodology proposed by the CNIL, it represents a significant step towards balancing the free flow of data outside the EEA with the protection of individual rights in the data management processes. [1] Judgment of the Court (Grand Chamber) of 16 July 2020, “Schrems II”, C-311/18.
within the framework of the relationship between a controller and a processor, constitutes one of the obligations outlined in Article 28 of the GDPR.