Back to live blog
Live Blog

DTIA: control over international data transfers and data sovereignty

International data transfer involves significant risks for organizations. Examples include access by foreign authorities, insufficient protection of personal data and loss of control over data. With a Data Transfer Impact Assessment (DTIA), you gain insight into these risks and meet the requirements of the GDPR.

DTIA is not just a compliance obligation, but an essential tool for governance and data sovereignty. It helps organizations make informed choices when using international suppliers and cloud solutions.

What is a DTIA?

A Data Transfer Impact Assessment (DTIA) is the basis for determining whether an international transfer (outside the EEA), for example based on SCCs, offers sufficient level of protection in your context and what additional safeguards are necessary.

Why does this affect data sovereignty?

Because a DTIA does not only look at paper (contracts), but rather at actual risks: jurisdiction, (possible) access by (foreign) authorities, chain dependencies and the effectiveness of measures.

European Data Board Protection (EDPB): when exactly is something a “transfer”?

The GDPR does not explicitly define “transfer”; that is why the EDPB three cumulative criteria. A data stream is an international transfer if:

  1. An exporter (controller or processor) is subject to the GDPR for that processing (art. 3).
  2. That exporter makes personal data available (by shipment or “otherwise”) to another organization (another controller/processor = importer).
  3. That importer is located in a third country (outside the EEA) or is an international organization.

International data transfer: when are you really at risk under the GDPR?

Do you work with cloud software, support teams outside Europe, or suppliers with sub-processors in the US, India, or the UK? Then there is a good chance that you are dealing with an international data transfer under the GDPR  and that requires additional safeguards.

An international transfer takes place as soon as personal data becomes available to a party outside the EEA (the EU + Iceland, Norway and Liechtenstein) or an international organization. This happens more often than you think: not only when “moving data”, but also when it comes to remote access, management, support or hosting.

Briefly: as soon as a party outside the EEA can access personal data, you must demonstrate that the level of protection remains adequate.

International Data Transfers (GDPR Chapter V): Why a DTIA?

As soon as personal data becomes accessible outside the EEA (e.g. via cloud, remote support, or sub-processors), you fall under Chapter V of the GDPR. Then you must be able to demonstrate that the EU level of protection remains in place — even when the data crosses the border.

Is there no adequacy decision for the country? Then you often work with SCCs (or BCRs). But: contracts alone are not enough. You should also assess whether they work in practice. That's where a DTIA (Data Transfer Impact Assessment) comes into play.

What does a DTIA do?

A DTIA shows:

  • Where the transfer takes place and who has access
  • What risks there are (including legislation/access by authorities)
  • What measures are required (such as encryption, key management, access control, logging)
  • Why your transfer is defensible in audits and customer inquiries

What does it give?

With a DTIA, you have proof that you have set up Chapter V seriously and that your SCCs have been supplemented with appropriate technical and organizational measures.

When is a DTIA advisable?

A Data Transfer Impact Assessment (DTIA) helps you gain control over risks related to international data transfers, before they become an issue.

Do you work with parties outside the EU, or are your systems (partly) accessible from third countries? If so, it’s wise to assess the risks to personal data. For example:

  • Using U.S. Cloud Providers
  • Collaboration with international SaaS vendors
  • Outsourcing IT or HR services to third countries
  • Remote access from non-EU countries

In these situations, conducting a DTIA is not just an administrative task — it’s an opportunity. It allows you to clearly map risks and demonstrate that you are in control.

Even when using Standard Contractual Clauses (SCCs), performing a DTIA is a logical step. Since the Schrems II ruling, the focus is no longer just on contractual safeguards, but on a key question: are the data truly protected in practice?

By proactively conducting a DTIA, you avoid unexpected issues, strengthen your compliance position, and build trust with clients and regulators.

In short:
Once personal data leaves the EU, you must assess whether this is done safely and lawfully.

How do you perform a DTIA? (Process Overview)

A DTIA follows a structured approach that gives you insight into the data flows, risks and necessary measures.

Step 1: Mapping the processing
Gather all relevant information about data processing, such as the type of personal data, the purpose of the processing and the parties involved.

Step 2: Identifying onward transfers
Check whether the data is transferred to other parties (sub-processors) and to which countries these transfers take place.

Step 3: Analysis of the third country
Assess the recipient country's laws and regulations, in particular the level of government access and protection of personal data.

Step 4: Risk Assessment
Weigh the identified risks and determine whether the level of protection is equivalent to that within the EU.

Use our DTIA tool for structured execution

Common mistakes with DTIAs

Many organizations implement DTIAs incompletely or incorrectly, leading to compliance risks.

This often goes wrong:

  • Only sign SCCs without content analysis
  • No assessment of legislation in the third country
  • Do not implement additional measures
  • Do not perform a periodic reassessment
  • Insufficient or missing documentation

A DTIA is not a checklist, but a substantive risk analysis that must be demonstrable.

Our solutions

We support organizations in fully compliant implementation of DTIAs — from analysis to documentation.

DTIA-as-a-Service & Atlas

  • Full implementation by privacy experts
  • Analysis of legislation in third countries
  • Comprehensive risk assessment
  • Advice on additional measures
  • Complete documentation for supervisors

With our tooling and expertise, you will quickly gain insight and certainty about international data transfers.

Learn more about our DTIA-as-a-Service & Atlas proposition

FAQ

Is a DTIA advisable?
Yes, in many cases it is. Especially when personal data is processed or accessible outside the EEA, a DTIA helps to identify risks and maintain demonstrable control over data protection.

How often do you need to review a DTIA?
A DTIA must be reviewed periodically and in case of relevant changes, such as new legislation or changes in processing.

What if a supplier does not provide information?
Then you may not be able to demonstrate that the transfer is secure, which means you should reconsider use.

Is a DTIA the same as a DPIA?
No. A DPIA focuses on the privacy risks of processing, while a DTIA specifically looks at risks associated with international transfers.

Other relevant live blogs

All blogs
Live Blog
23/3/2026

GDPR Training for Life Sciences: 7 may 2026

Our training has been specially developed for professionals who work in the life sciences sector.
Read more
Live Blog
18/12/2025

DPO Consultancy partners with AXECO Participaties

DPO Consultancy, a leading advisory firm in the field of data privacy, proudly announces its new partnership with AXECO...
Read more
Live Blog
18/12/2025

Understanding the New EDPB Guidelines on Pseudonymisation

The European Data Protection Board (EDPB) has recently published its Guidelines on Pseudonymisation under the General Data...
Read more
All blogs