A Transfer Risk Assessment (TRA) is a mandatory legal evaluation we conduct whenever personal data is sent to a country outside of the UK and EEA, unless that country is already covered by a GDPR adequacy decision (see below).
This means we compare the data protection laws of the destination country against our own. The goal is to ensure that your personal information does not lose any of its legal protection or security just because it has crossed an international border.
This assessment involves reviewing the sensitivity of the data and the data protection laws of the destination country. Our goal is to confirm that these laws align with our standards and that robust technical and contractual safeguards are in place.
TRAs are subject to periodic review to ensure any changes in laws or its application in the destination country are assessed and that personal data remains protected.
There must also be a legal transfer mechanism to share personal data outside of the UK or EEA. We rely on the following methods for our transfers:
- Adequacy Decisions – as adopted by the European Commission (Art. 45 of EU GDPR) or as adopted by UK Secretary of State (Art. 45 of UK GDPR/Section 17A of the Data Protection Act 2018)
- The European Commission’s Standard Contractual Clauses (‘SCCs’) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (‘IDTA’)
- For transfers to the US – the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPA, as set forth by the US Department of Commerce, European Commission and UK Government