Customer-facing template Transfer Impact Assessment for transfers of personal data to non-EEA Sub-processors.

DPA Annex 3 — Transfer Impact Assessment template

This template is intended for Customers who, as data exporters, must conduct a Transfer Impact Assessment (TIA) for personal-data transfers to non-EEA Sub-processors used by WORQABLE BV in connection with the QRabl Service. It implements the methodology of the EDPB Recommendations 01/2020 (as updated) and reflects the post-Schrems II framework.

For the actual completed TIA performed by WORQABLE BV for each non-EEA Sub-processor, please request a redacted copy from privacy@qrabl.eu (provided to enterprise Customers under NDA).

How to use this template

Identify the transfer (which Sub-processor, which dataset).
Map the data flow.
Identify the laws of the destination country with relevance to public-authority access.
Assess the necessity and proportionality of those laws.
Identify supplementary measures.
Conclude on permissibility.

WORQABLE BV provides the technical inputs (data type, encryption, retention, residency) on request; the legal assessment in steps 3-5 is shared in the redacted TIA.

TIA template

Part 1 — Identification of the transfer

Field	Value
Customer (data exporter)	your legal name + role + contact
Sub-processor (data importer)	e.g. Anthropic, PBC; OpenAI, L.L.C.
Transfer purpose	e.g. AI inference for label-page consumer chat / RAG embeddings
Transfer mechanism (Art. 46 GDPR)	EU-US Data Privacy Framework + Standard Contractual Clauses (Module 2, fall-back)
Date of assessment	yyyy-mm-dd
Reviewer	name + role

Part 2 — Data flow mapping

Question	Answer
Categories of data subjects	from DPA §3 / SCC Annex I.B
Categories of personal data	from DPA §3 / SCC Annex I.B
Special categories (Art. 9)	typically: none, by configuration
Data minimisation applied	e.g. anonymised IP, no raw user-agent, message-content only
Frequency of transfer	continuous
Volume	approximate volume per month
Storage at importer	per importer DPA — typically zero or 30 days for abuse review
Onward transfers by importer	per importer Sub-processor list

Part 3 — Destination-country legal landscape

For transfers to the United States (Anthropic, OpenAI):

Element	Assessment
Section 702 FISA + Executive Order 12333	Continue to apply, but materially constrained by EO 14086 (October 2022), which establishes safeguards for signals-intelligence collection, an independent Data Protection Review Court, redress mechanisms for EU data subjects, and a proportionality requirement. The EU Commission considered these adequate in Decision (EU) 2023/1795 (the EU-US DPF adequacy decision).
Cloud Act	Compelled disclosure to US authorities possible in narrow circumstances; mitigated by technical and contractual measures below.
State-level laws	Limited public-authority access exposure; civil-discovery exposure mitigated by encryption and contractual restrictions.
Sectoral US privacy laws	HIPAA, CCPA: not directly applicable to the Sub-processor function.

For transfers to other countries listed in Annex 3, the equivalent assessment is performed at the time the Sub-processor is added.

Part 4 — Necessity and proportionality assessment

The destination-country laws identified in Part 3 are constrained as described. After EO 14086 and the EU-US DPF adequacy decision, the residual risk to data subjects from public-authority access in the US is assessed as low for the data categories transferred (label content text + anonymised analytics, not special-category data, not law-enforcement-sensitive data).

For OpenAI specifically: zero-data-retention is enabled where the API tier supports it, materially reducing the surface for any public-authority access request.

Part 5 — Supplementary measures

WORQABLE BV applies the following supplementary measures (a non-exhaustive list aligned with EDPB Recommendations 01/2020):

Technical:

TLS 1.3 in transit to all non-EEA Sub-processors.
Data minimisation: no special-category data sent by default; the Customer is contractually obligated to notify before uploading such data.
For RAG embeddings: text chunks are sent without identifiers where possible; the Customer's choice of source documents determines the data sent.

Contractual:

The Sub-processor's commercial DPA expressly prohibits use of customer inputs for training of AI models.
Sub-processor flow-down: WORQABLE BV imposes equivalent obligations on its Sub-processors per DPA §7.
The Customer can disable AI features at any time.

Organisational:

WORQABLE BV reviews Sub-processor DPF status quarterly under the Vendor Review SOP.
WORQABLE BV maintains an internal incident playbook covering disclosure requests from non-EEA public authorities, including the obligation to challenge clearly excessive requests.

Part 6 — Conclusion

Based on Parts 1-5, the transfer is permissible under Chapter V GDPR via the layered transfer mechanism (DPF primary, SCCs fall-back) plus the supplementary measures.

This conclusion is reviewed at least annually and on any material change (new sub-processor, new data category, change to destination-country law, change to DPF status).

Part 7 — Customer-side acknowledgement

The Customer, by accepting the DPA, acknowledges:

the Customer has reviewed this TIA template;
the Customer is satisfied that the transfers described meet the Customer's own due-diligence requirements as data exporter;
the Customer remains responsible, as data exporter, for documenting its own assessment with respect to its own circumstances and to update that assessment as needed.

For enterprise Customers, the redacted full TIA is provided on request via privacy@qrabl.eu under NDA.

Useful references

EDPB Recommendations 01/2020 on measures supplementing transfer tools (as updated)
Implementing Decision (EU) 2021/914 (Standard Contractual Clauses)
Decision (EU) 2023/1795 (EU-US Data Privacy Framework adequacy decision)
CJEU Judgment of 16 July 2020, C-311/18 (Schrems II)
US Executive Order 14086 of 7 October 2022

For TIA-related questions: privacy@qrabl.eu.