Standardization and automation of a transfer impact assessment in regard to the new EU standard contractual clauses

SKW Schwarz already reported that the EU Commission adopted new EU standard contractual clauses for international data transfers on June 4, 2021. These new EU standard contractual clauses can be accessed here. In the above-mentioned article, we already pointed out that a transfer impact assessment is required when utilizing these new EU standard contractual clauses. In the meantime, the Conference of the Independent Data Protection Authorities of the Federation and the States (DSK) has also pointed this out in a press release dated 21 June 2021. In our article linked above, we already recommended to implement a standardized process for conducting and documenting the transfer impact assessment.

This article is about such a transfer impact assessment and how to implement a standardized process.

What to consider in a Transfer Impact Assessment

Pursuant to Art. 14 lit. a of the EU standard contractual clauses, the contracting parties must warrant that they have no reason to believe that the data importer is prevented from fulfilling the obligations arising from the EU standard contractual clauses by applicable laws and practices in the third country. A corresponding assessment must be documented and made available to the competent supervisory authority upon request. Therefore, a short purely mental examination is usually not sufficient. Art. 14 lit. b of the EU standard contractual clauses contains specifications as to which aspects are to be taken into account for the transfer impact assessment.

If the result of the assessment is that the data importer is prevented from fulfilling the obligations arising from the EU standard contractual clauses by applicable laws and practices in the third country, either further technical, organisational or contractual measures must be taken to prevent this or personal data cannot be transferred. For the examination - as stated by the DSK in the press release linked above - the recommendations of the European Data Protection Board on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data can be utilized - the final version was adopted on 18.06.2021 after public consultation, which we had already reported on here.

Standardization and tool developed by SKW Schwarz

As the implementation of a transfer impact assessment is very time-consuming, it is strongly recommended to standardize the process. The process should be set up in such a way that the collection and evaluation of information is efficient. From our experience in recent months, we know that, especially in international groups of companies, the process of determining the facts can be very time-consuming. Therefore, at least the collection of information should be standardized. A further expansion stage is the automatic evaluation of answers to standard questions.

SKW Schwarz has developed a standardization tool for companies in the form of an Excel sheet, in which they can answer standardized questions and then receive an automatic evaluation.

In addition to preliminary questions as to whether such a transfer impact assessment has to be carried out, the questions relate to the categories of data, other circumstances of the transfer, the legal situation and practices in the recipient country, and technical and organisational measures. The questions cover the list of criteria in Art. 14 lit. b of the EU standard contractual clauses. The recommendations of the European Data Protection Board on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data were taken into account in the tool.

Summary of the recommendations for action for a transfer impact assessment

For reasons of efficiency, it is highly recommended that the process for carrying out a transfer impact assessment is standardized. In this respect, at least a process should be implemented in which the information can be collected in a standardized manner. A further expansion stage of a standardized process is the automatic evaluation of the answers to the questions and thus an automation of a transfer impact assessment.

We are happy to provide our clients with the tool developed by SKW Schwarz for carrying out the transfer impact assessment and, if required, also adapt it to the respective processes in the company. If you are interested in our tool, please contact us at any time.