Transfer Impact Assessment (TIA)

This document provides an overview of Pirsonal’s assessment of international data transfers from the European Economic Area (EEA) to the United States in connection with the provision of its services. It outlines the nature of the transfers, the applicable legal mechanisms, the potential risks under third-country laws, and the technical and organizational safeguards implemented to ensure an equivalent level of data protection in accordance with applicable data protection laws.

Table Of Contents
  1. Transfer Impact Assessment (TIA)
  2. Scope of this assessment
  3. Description of the data transfer
  4. Legal basis for transfers
  5. Assessment of third-country laws
  6. Risk evaluation
  7. Supplementary Measures for International Data Transfers
  8. Supporting documentation
  9. Conclusion
  10. Related Legal Documents

Scope of this assessment

This assessment applies to:

  • Customers established in the European Economic Area (EEA)
  • Transfers of personal data to the United States
  • Processing activities carried out by Pirsonal as a data processor
  • Transfers involving subprocessors or infrastructure located outside the EEA

Description of the data transfer

Roles of the parties

  • Controller: The customer (e.g., organization using Pirsonal)
  • Processor: Pirsonal

Categories of personal data

Depending on the use case, personal data processed may include:

  • Identification data (e.g., name)
  • Contact data (e.g., email address)
  • Media content (e.g., images, video, audio assets provided by the customer)
  • Metadata and interaction data (e.g., video engagement metrics)

Pirsonal does not determine the categories of data processed, which are defined and controlled by the customer.

Purpose of processing

Personal data is processed solely for the purpose of:

  • Generating personalized video content
  • Delivering video experiences to end users
  • Enabling interaction and engagement tracking
  • Supporting analytics and reporting

Transfer scenarios

Transfers to the United States may occur in the following scenarios:

  • When the customer selects US-based infrastructure
  • When subprocessors located in the United States are used
  • When content is delivered through globally distributed infrastructure (e.g., CDN)

The location of processing depends on the infrastructure configuration selected by the customer.

Legal basis for transfers

Transfers of personal data from the EEA to the United States are based on the European Commission’s Standard Contractual Clauses (SCCs), as adopted in Decision (EU) 2021/914.

Where applicable, Module 2 (Controller to Processor) is used.

These clauses are incorporated into Pirsonal’s Data Processing Addendum (DPA) and apply to relevant processing activities and subprocessors.

Assessment of third-country laws

Pirsonal has assessed the legal framework applicable in the United States, including laws that may permit access to data by public authorities.

This includes, in particular:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)
  • Executive Order 12333

These laws may allow access to certain data under specific conditions and subject to applicable legal processes.

Assessment context

In evaluating the potential impact of such laws, Pirsonal has considered:

  • The nature and sensitivity of the data processed
  • The purposes of processing
  • The likelihood of access in the context of Pirsonal’s services
  • The role of Pirsonal as a processor acting on customer instructions

Pirsonal does not provide services that involve large-scale surveillance, communications services, or activities typically associated with intelligence targeting.

Risk evaluation

Based on the above factors, Pirsonal considers that:

  • The likelihood of access by public authorities in a manner incompatible with EU data protection standards is limited
  • The data processed is generally of a nature that does not increase exposure to such risks
  • The processing activities are specific, limited in scope, and defined by the customer

Supplementary Measures for International Data Transfers

Pirsonal implements a combination of technical and organizational measures designed to ensure that personal data transferred outside the European Economic Area (EEA) is afforded a level of protection essentially equivalent to that guaranteed within the European Union.

These measures are applied in conjunction with applicable transfer mechanisms, including Standard Contractual Clauses (SCCs), and are aligned with current regulatory guidance.

Technical measures

Pirsonal applies technical safeguards to protect personal data against unauthorized access, disclosure, or loss:

  • Encryption in transit using secure protocols (TLS)
  • Encryption at rest for stored data
  • Access control mechanisms and authentication systems
  • Secure APIs and controlled data access layers
  • Logical separation of environments where applicable

Organizational measures

Pirsonal maintains internal controls and governance processes to support secure data handling:

  • Information Security Management System aligned with ISO/IEC 27001
  • Role-based access controls and least-privilege principles
  • Internal policies governing access, use, and protection of data
  • Vendor due diligence and contractual safeguards with subprocessors
  • Incident detection, response, and reporting procedures

Data minimization and processing limitations

Pirsonal limits the scope of data processing to what is necessary for the defined purpose:

  • Processing is performed only on documented customer instructions
  • Only required data fields are processed within the platform
  • No unnecessary duplication or persistence of data

Data retention and deletion

Pirsonal applies controls to limit how long personal data is retained:

  • Media assets are automatically deleted after rendering, where applicable
  • Storage duration can be configured based on customer requirements
  • Data is deleted or returned upon termination of services, subject to legal obligations

Access controls and confidentiality

Pirsonal restricts access to personal data to authorized personnel only:

  • Access is limited based on role and operational need
  • Personnel are subject to confidentiality obligations
  • Access is monitored and controlled through internal systems

Subprocessor controls

Pirsonal ensures that third parties involved in processing meet equivalent data protection standards:

  • Subprocessors are subject to written data protection agreements
  • Security and compliance measures are reviewed before onboarding
  • Subprocessors are required to implement safeguards aligned with applicable data protection laws

Customer control and configuration

Customers retain control over how their data is processed:

  • Ability to select EU-based or US-based infrastructure
  • Configuration of data storage and processing environments
  • Definition of data inputs and scope of processing

Assessment of effectiveness

These measures are designed to mitigate risks associated with international data transfers, including potential access by public authorities in third countries.

Taking into account the nature of the data, the purposes of processing, and the safeguards implemented, Pirsonal considers that these measures contribute to ensuring a level of protection essentially equivalent to that guaranteed within the European Union.

Supporting documentation

Further details are available in the following documents:

Conclusion

Taking into account:

  • The nature and purpose of the processing
  • The categories of personal data involved
  • The applicable legal framework
  • The technical and organizational safeguards implemented

Pirsonal considers that personal data transferred to the United States is afforded a level of protection that is essentially equivalent to that guaranteed within the European Union.

Visit our Legal Center for additional documentation or security details

Legal Center

Related Legal Documents

Pirsonal GDPR Subprocessor Information

Explore the list of approved subprocessors used by Pirsonal and how data is securely handled across third-party services in full alignment with GDPR requirements.

Read More

Pirsonal’s ISO27001 Certification

Understand how Pirsonal meets internationally recognized information security standards through its ISO 27001 certification, ensuring robust data protection and risk management.

Read More

Pirsonal’s Information Security System Policy

Review the principles and practices behind Pirsonal’s information security framework, designed to safeguard data, ensure operational integrity, and support enterprise compliance needs.

Read More

Legal Notice

Review Pirsonal’s Legal Notice, including the terms governing access to our website and services, user obligations, liability limitations, billing terms, intellectual property, and applicable jurisdiction.

Read More

Service Level Agreement (SLA)

Review Pirsonal’s uptime commitment, support availability, maintenance policies, and service credits to understand how we ensure reliable platform performance.

Read More

Security Overview

Explore Pirsonal’s approach to enterprise security, including data protection, infrastructure, access controls, and compliance with GDPR and industry standards.

Read More

Data Processing Addendum (DPA)

Review Pirsonal’s Data Processing Addendum, outlining how personal data is processed, protected, and handled in compliance with GDPR and applicable data protection laws.

Read More

International Data Transfers & Data Residency

Learn how Pirsonal supports GDPR-compliant international data transfers, including EU to US scenarios. Explore SCCs, safeguards, data residency options, and how to stay compliant.

Read More

Privacy Policy

Pirsonal’s Privacy Policy explains how personal data is processed, stored, and protected, including GDPR rights and data protection practices.

Read More

Standard Contractual Clauses (SCCs)

Includes Module 2, annexes, and supplementary safeguards aligned with GDPR and Schrems II.

Read More

Professional Services Agreement

Read Pirsonal’s Professional Services Agreement, including terms for consulting, implementation, fees, confidentiality, and data protection for personalized video services.

Read More

Master Service Agreement (SMA)

Read Pirsonal’s Master Service Agreement (MSA) to understand how our personalized video platform, services, data protection, and legal terms are structured.

Read More