Data transfer impact assessments: the CNIL publishes its guide

CNIL publication on its website – 31 January 2025

The regulation of personal data transfers outside the European Union is one of the pillars of the personal data protection framework established by the GDPR (and, before it, by Directive 95-46 of October 24, 1994).

Since the CJEU’s “Schrems 2” ruling, data exporters can no longer solely rely on the signature of standard contractual transfer clauses or the adoption of binding corporate rules, when these transfer mechanisms are implemented. They are now obliged to assess the level of protection in third countries of destination to determine whether, taking into account the implementation of the chosen transfer mechanism, the transferred data will indeed benefit from a level of protection equivalent to that guaranteed within the European Union. If this is not the case, they must put in place additional guarantees or renounce the transfer.

The “Schrems 2″ ruling has thus led to the need for specific studies, known in practice as “data transfer impact assessments” (or DTIAs). In this context, the CNIL has just published the final version of its guide to help exporters carry out their DTIAs.

Pre-ITDA checks

First of all, before carrying out a DTIA, the CNIL recommends checking several essential elements to determine the need for and scope of this assessment:

• Existence of a transfer of personal data: The first point, which seems obvious but can be forgotten, is to check that the transfer does indeed concern “personal data” within the meaning of Article 4 of the GDPR. Next, it is necessary to determine whether a “transfer” operation is envisaged. The CNIL, referring to the EDPB guidelines on the subject, points out that a transfer involves three cumulative criteria:
• An exporter (controller or processor) subject to the GDPR for the processing in question.
• The disclosure or provision of data to another entity (the importer), distinct from the exporter (the CNIL recalls here that a disclosure, by an entity located in the EU, to one of its employees in a third country, is not a data transfer within the meaning of the GDPR).
• The importer is located in a third country (outside the EEA), whether or not it is subject to the GDPR for the processing concerned.

For example, remote access from a third country to data stored in the EEA or cloud storage of data outside the EEA constitute transfers when they involve an entity legally distinct from the exporter.

• Need to carry out a DTIA: A DTIA is required when the transfer is based on one of the “appropriate safeguards” set out in Article 46 of the GDPR, such as standard contractual clauses or binding corporate rules. Conversely, no DTIA is required if: (i) the country of destination benefits from an adequacy decision by the European Commission, attesting to an equivalent level of protection – e.g. the EU-US Privacy Framework; or (ii) the transfer is based on one of the derogations provided for in Article 49 of the GDPR – e.g. the explicit consent of the data subject or the necessity of the transfer for the performance of a contract.

• Qualification of parties and responsibility for carrying out a DTIA: the CNIL recalls that it is essential to clarify the role of each party involved in the transfer: controller, processor or joint controller. This qualification determines the respective obligations in terms of data protection. The exporter, whether controller or processor, is generally responsible for carrying out the DTIA. However, the importer, who in principle has more information on the local situation and legislation, must assist the exporter. This obligation to assist is all the greater when the importer is a subcontractor of the exporter.

In certain situations, the exporter may have responsibilities towards an entity that is neither an exporter nor an importer. This is the case, for example, when a processor located in the EU exports data to a subsequent processor outside the EU, on behalf of a controller in the EU. In this case, the exporting processor must not only complete the DTIA, but also transmit it to its controller pursuant to Article 28(3)(h) of the GDPR in order to demonstrate compliance with its own obligations. The CNIL notes here that it will not be sufficient for the processor to send a simple executive summary without providing the concrete elements on which the DTIA was based.

• Scope of the DTIA and consideration of subsequent transfers: The DTIA must cover all transfers envisaged, including subsequent transfers to other entities or third countries. It is therefore crucial to identify not only the initial transfer, but also any chain of subsequent transfers, in order to assess the risks associated with each transfer stage.

• Compliance of the transfer with the principles of the GDPR: Lastly, the CNIL points out that a transfer of personal data is in itself a processing of personal data, and as such must comply with the fundamental principles of the GDPR (e.g. lawfulness, fairness and transparency, purpose limitation, data minimization).

Carrying out the DTIA

Once these preliminary checks have been made, the AITD can be carried out. To this end, the CNIL proposes a six-step methodology. For each step, the authority includes in its guide a model table covering all the essential points that need to be filled in to be taken into account in the analysis.

1. “Know your transfer”: This first step consists of describing the precise characteristics of the planned transfer, identifying in particular the parties involved (exporter and importer), the categories of personal data and data subjects, the purposes of the transfer, its frequency, and so on.

2. “Identify the transfer tool used”: This involves determining the legal instrument framing the transfer, such as standard contractual clauses, binding corporate rules or other mechanisms provided for by Article 46 of the GDPR.

3. “Evaluate the legislation and practices of the destination country”: This stage involves an in-depth analysis of the third country’s legal framework, particularly with regard to the rights of data subjects, the obligations of data controllers and the powers of public authorities to access data. The CNIL stresses that the importer’s assistance is essential at this stage. In addition to the specific elements provided by the importer, the Commission recommends reference to, among others, reports from international organizations, and analyses commissioned by the EDPB for certain countries, which should be supplemented where necessary. The world map published by CNIL on its website also contains some general information on the data protection framework in third countries.

4. “Identify and adopt additional measures”: If the assessment reveals shortcomings in the level of protection offered by the destination country, and these shortcomings are not remedied by the (projected) effectiveness of the transfer tool used (standard contractual transfer clauses, etc.), the exporter must identify and implement additional measures, whether technical, organizational or contractual, to guarantee a level of protection equivalent to that of the GDPR. The CNIL points out here that Annex 2 of EDPB Recommendations 01/2020 provides a – non-exhaustive – list of possible measures. The CNIL also points out that, in certain cases, no additional measures will be able to ensure a level of protection equivalent to European law. In such cases, the transfer must not be carried out.

5. “Implement additional measures”: Once the measures have been identified, the authority recommends listing the actions to be taken and procedures to be put in place to ensure their effective implementation

6. “Reassess the level of protection”: Finally, the CNIL recommends periodic reassessments to check that the level of protection remains adequate, particularly in the event of legislative changes in the destination country or changes in the conditions of the transfer.

The publication of this guide should provide an interesting documentary resource in practice, to guide organizations step by step in carrying out their analyses. However, the availability of the model table and the CNIL’s insights should not be enough to substantially reduce the practical and legal complexity of this type of analysis for exporters (and importers).