On January 31, 2025, the French supervisory authority (CNIL) published the final version of its guide on transfer impact assessments (TIA).
A TIA must be undertaken by organisations relying on one of the 'appropriate safeguards" of Article 46 GDPR to transfer personal data outside the EEA, the most common being standard contractual clauses and binding corporate rules. TIAs are carried out to assess the level of protection in the destination country and whether any risks can be mitigated by implementing supplemental measures.
In particular, a TIA should consider in detail whether the data importer will be able to meet its obligations under the transfer mechanism, especially as regards potential access to personal data by third country authorities.
The TIA guide is structured according to five initial pre-TIA steps:
- Assessing whether a data transfer is taking place;
- Evaluating whether a TIA should be carried;
- Assigning responsibility for carrying out the TIA;
- Determining the scope of the TIA and any subsequent onward transfers; and
- Whether the transfer is compliant with GDPR principles.
Although organisations are free to draft their own form of TIA and will want to consider guidance issued by their own local regulators, the CNIL's guide may also be a useful point of reference for EU companies outside France, due to its level of detail and use of case studies.
Assuming a TIA is required, the guide then considers 6 practical steps that organisations can run through to ensure their TIA is compliant, including assessing the legislation and practices of the destination country and identifying supplementary measures.
The press release is available here and the guide is available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
