Before you choose a platform, plan your campaign first

Get the checklist

Transfer Impact Assessment (TIA)

This document provides an overview of Pirsonal’s assessment of international data transfers from the European Economic Area (EEA) to the United States in connection with the provision of its services. It outlines the nature of the transfers, the applicable legal mechanisms, the potential risks under third-country laws, and the technical and organizational safeguards implemented to ensure an equivalent level of data protection in accordance with applicable data protection laws.

Table Of Contents
  1. Transfer Impact Assessment (TIA)

Scope of this assessment

This assessment applies to:

  • Customers established in the European Economic Area (EEA)
  • Transfers of personal data to the United States
  • Processing activities carried out by Pirsonal as a data processor
  • Transfers involving subprocessors or infrastructure located outside the EEA

Description of the data transfer

Roles of the parties

  • Controller: The customer (e.g., organization using Pirsonal)
  • Processor: Pirsonal

Categories of personal data

Depending on the use case, personal data processed may include:

  • Identification data (e.g., name)
  • Contact data (e.g., email address)
  • Media content (e.g., images, video, audio assets provided by the customer)
  • Metadata and interaction data (e.g., video engagement metrics)

Pirsonal does not determine the categories of data processed, which are defined and controlled by the customer.

Purpose of processing

Personal data is processed solely for the purpose of:

  • Generating personalized video content
  • Delivering video experiences to end users
  • Enabling interaction and engagement tracking
  • Supporting analytics and reporting

Transfer scenarios

Transfers to the United States may occur in the following scenarios:

  • When the customer selects US-based infrastructure
  • When subprocessors located in the United States are used
  • When content is delivered through globally distributed infrastructure (e.g., CDN)

The location of processing depends on the infrastructure configuration selected by the customer.

Legal basis for transfers

Transfers of personal data from the EEA to the United States are based on the European Commission’s Standard Contractual Clauses (SCCs), as adopted in Decision (EU) 2021/914.

Where applicable, Module 2 (Controller to Processor) is used.

These clauses are incorporated into Pirsonal’s Data Processing Addendum (DPA) and apply to relevant processing activities and subprocessors.

Assessment of third-country laws

Pirsonal has assessed the legal framework applicable in the United States, including laws that may permit access to data by public authorities.

This includes, in particular:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)
  • Executive Order 12333

These laws may allow access to certain data under specific conditions and subject to applicable legal processes.

Assessment context

In evaluating the potential impact of such laws, Pirsonal has considered:

  • The nature and sensitivity of the data processed
  • The purposes of processing
  • The likelihood of access in the context of Pirsonal’s services
  • The role of Pirsonal as a processor acting on customer instructions

Pirsonal does not provide services that involve large-scale surveillance, communications services, or activities typically associated with intelligence targeting.

Risk evaluation

Based on the above factors, Pirsonal considers that:

  • The likelihood of access by public authorities in a manner incompatible with EU data protection standards is limited
  • The data processed is generally of a nature that does not increase exposure to such risks
  • The processing activities are specific, limited in scope, and defined by the customer

Supplementary Measures for International Data Transfers

Pirsonal implements a combination of technical and organizational measures designed to ensure that personal data transferred outside the European Economic Area (EEA) is afforded a level of protection essentially equivalent to that guaranteed within the European Union.

These measures are applied in conjunction with applicable transfer mechanisms, including Standard Contractual Clauses (SCCs), and are aligned with current regulatory guidance.

Technical measures

Pirsonal applies technical safeguards to protect personal data against unauthorized access, disclosure, or loss:

  • Encryption in transit using secure protocols (TLS)
  • Encryption at rest for stored data
  • Access control mechanisms and authentication systems
  • Secure APIs and controlled data access layers
  • Logical separation of environments where applicable

Organizational measures

Pirsonal maintains internal controls and governance processes to support secure data handling:

  • Information Security Management System aligned with ISO/IEC 27001
  • Role-based access controls and least-privilege principles
  • Internal policies governing access, use, and protection of data
  • Vendor due diligence and contractual safeguards with subprocessors
  • Incident detection, response, and reporting procedures

Data minimization and processing limitations

Pirsonal limits the scope of data processing to what is necessary for the defined purpose:

  • Processing is performed only on documented customer instructions
  • Only required data fields are processed within the platform
  • No unnecessary duplication or persistence of data

Data retention and deletion

Pirsonal applies controls to limit how long personal data is retained:

  • Media assets are automatically deleted after rendering, where applicable
  • Storage duration can be configured based on customer requirements
  • Data is deleted or returned upon termination of services, subject to legal obligations

Access controls and confidentiality

Pirsonal restricts access to personal data to authorized personnel only:

  • Access is limited based on role and operational need
  • Personnel are subject to confidentiality obligations
  • Access is monitored and controlled through internal systems

Subprocessor controls

Pirsonal ensures that third parties involved in processing meet equivalent data protection standards:

  • Subprocessors are subject to written data protection agreements
  • Security and compliance measures are reviewed before onboarding
  • Subprocessors are required to implement safeguards aligned with applicable data protection laws

Customer control and configuration

Customers retain control over how their data is processed:

  • Ability to select EU-based or US-based infrastructure
  • Configuration of data storage and processing environments
  • Definition of data inputs and scope of processing

Assessment of effectiveness

These measures are designed to mitigate risks associated with international data transfers, including potential access by public authorities in third countries.

Taking into account the nature of the data, the purposes of processing, and the safeguards implemented, Pirsonal considers that these measures contribute to ensuring a level of protection essentially equivalent to that guaranteed within the European Union.

Supporting documentation

Further details are available in the following documents:

Conclusion

Taking into account:

  • The nature and purpose of the processing
  • The categories of personal data involved
  • The applicable legal framework
  • The technical and organizational safeguards implemented

Pirsonal considers that personal data transferred to the United States is afforded a level of protection that is essentially equivalent to that guaranteed within the European Union.

Visit our Legal Center for additional documentation or security details

Legal Center

Related Legal Documents

Legal Notice

Review the terms governing access to Pirsonal’s website and services, including user responsibilities, acceptable use, liability limitations, and applicable jurisdiction.

Read More

Service Level Agreement (SLA)

Explore Pirsonal’s service commitments, including uptime guarantees, support response times, maintenance, and performance expectations.

Read More

Master Service Agreement (MSA)

Read Pirsonal’s Master Service Agreement (MSA) to understand how our personalized video platform, services, data protection, and legal terms are structured.

Read More

Professional Services Agreement

Access Pirsonal’s terms for consulting, implementation, fees, confidentiality, and data protection for personalized video execution services.

Read More

Data Processing Addendum (DPA)

Understand how Pirsonal processes personal data on behalf of customers, including GDPR obligations, roles, and safeguards for secure data handling.

Read More

International Data Transfers & Data Residency

Review how Pirsonal handles cross-border data transfers, including SCCs, data residency configurations, and GDPR-aligned safeguards.

Read More

Transfer Impact Assessment (TIA)

Understand how Pirsonal evaluates EU to US data transfers under GDPR, including safeguards and legal considerations.

Read More

Privacy Policy

Learn how Pirsonal collects, uses, and protects personal data in compliance with GDPR, including your rights, data usage, and security practices.

Read More

Standard Contractual Clauses (SCCs)

Access Pirsonal’s Standard Contractual Clauses (EU 2021/914) for secure international data transfers. Includes Module 2, annexes, and supplementary safeguards aligned with GDPR and Schrems II.

Read More

Publicity Opt-Out Request

Request to remove your company name, logo, or brand from Pirsonal’s website or client list. Submit your publicity opt-out request quickly and securely.

Read More

ISO 27001 Certification

Review Pirsonal’s ISO 27001 certification and our commitment to internationally recognized information security standards.

Read More

Information Security System Policy

Gain insight into Pirsonal’s Information Security Management System (ISMS), including risk management, internal controls, and security practices.

Read More

Security Overview

Learn how Pirsonal protects data through ISO 27001–aligned security practices, including access control, encryption, infrastructure, and secure delivery of personalized content.

Read More

GDPR Subprocessor Information

Explore our list of approved subprocessors and how third-party providers support our services while maintaining strict data protection standards.

Read More

Data Flow

Learn how Pirsonal’s software and services process data through a structured pipeline.

Read More

Responsible AI Use

Learn how Pirsonal supports AI-assisted personalized video workflows with customer control, human review, data protection, provider assessment, and EU AI Act awareness.

Read More