TIA for intragroup transfers
| Process description | Intragroup processing & outsorcing |
| Date of completion | 16 May 2025 |
| Updated | |
| Completed by | [-] |
| Information about the personal data transfer process | |
| The exporter of personal data | Travel Nerd ÖU |
| The country of the exporter | Estonia |
| The status of the exporter (controller/processor) | Controller |
| The importer of personal data | Sputnik LLC (Russia) |
| The country of the importer | Russia |
| The status of the importer (controller/processor) | Controller / Processor |
| The sector of the economy in which the importer operates | Online service (travel) |
| The purpose of the transfer | Providing intragroup services including marketing, customer care, IT, HR services, etc. |
| Categories of personal data to be transferred | Applicants: • Surname, first name, middle name • Date of birth • Registration address • Details of identity document • Details of services and bookings ordered • Contact telephone number • Contact email address • Nickname in messengers / social networks • Information about work experience • Employment preferences • Other information contained in CVs, as reported by job seekers during tests and interviews References: • Last name, first name, middle name • Place of work and position • Contact telephone number Employees: • Full name • Sex • Date and place of birth • Photo image • Information on citizenship • ID details • Social security number • Taxpayer Identification Number • Residence address • Contact telephone number, e-mail address and (or) information on other means of communication • Information on marital status, family composition (degree of kinship, surnames, first names, patronymics (if any), dates (date, month, year) and places of birth) • Information on education and (or) qualifications or special knowledge • Information on knowledge of foreign languages • Information on work activity, as well as information on previous places of work, periods and length of service, amounts of salary • Salary and payment information • Bank account details Emergency contacts: • Name • Contact details Contractors: • Full name • Date of birth • Address • ID • Bank account details • Information on foreign language proficiency • Place of work, position and division • Contact details • Information on tax status • Services information (contract details, performance, payments, etc.) Counterparties' representatives and other employees: • Full name • Place of work, position • Contact details • Services information (contract details, performance, payments, etc.) Directors, shareholders, and beneficiaries: • Full name • Passport or other ID details • Corporate reporting and bookkeeping details (certificates, etc.) Travellers: • Full name • Contact details • Date of birth • Information about devices, information about the Service usage • Information about the history of orders and payments using the Service • Payment details • Other information contained in the chat with the Guide • Other information contained in supporting documents (certificates, etc.) • Other information required by the Guide to fulfill Travel Services (age, ID, etc.) • System IDs • Reviews Other Travel Services participants: • Full name • Other information required by the Guide to fulfill the Travel Services (age, ID, etc.) • Other information contained in supporting documents (certificates) Guides: • Full name • Contact details • Date of birth • ID • Information about devices, information about the Service usage • Photo image • Travel Services information (event status, payment and booking details, event languages, etc.) • Details of means of payment • Other information contained in the chat with the Traveller • Other information contained in supporting documents (tour guide certificate, licences, etc.) • System IDs • Rating and reviews • Information on tax status • Other information in documents (certifications, statements, acts, invoices, etc.) with Guide Website visitors: • Technical information about visitors, their devices and browsers (token, IP address, user agent, device type, operating system, including version, peripherals, applications, http-headers, language preferences, etc.) • Account data (name, email, hashed password) Inbounds: • Full name • Contact details • Content of the inquiry |
| Are special personal data included? | No |
| The categories of data subjects | • Applicants • References • Employees, incl. former • Vendors, vendors' representatives and other employees • Directors, shareholders, and beneficiaries: • Travellers and other Travel Services participants • Guides • Website visitors |
| Transfer channels in use | Email, messaging apps, SaaS software |
| The place of storage of the personal transferred by the importer | Russia |
| The period of personal data retention by the importer | Until the end of the intragroup services agreement pursuant to the data retention terms |
| Does the importer intend to further transfer personal data (sub-processing, onward transfer)? | Yes, subprocessors & onward transfer (Russia, Kazakhstan) |
| Legislation and business practice in the country of destination | |
| Does the legislation provide for the possibility of public authorities having a direct access to personal data? | Yes, on the basis of the individual information requests. Mass surveillance laws do not apply to data processors. |
| Do the statutory requirements apply to the transferred personal data? | Yes |
| Is access to personal data possible only based on the court decision/under provisional measures? | Yes |
| Does the legislation provide for the possibility of public authorities directly sending requests to the importer for the provision of access to personal data? | Yes |
| Shall the importer challenge access by public authorities, its legitimacy and substantiation? | Yes, this is a requirement under the EU SCC to be entered into with the Company. |
| Is there a wide practice of disclosing data to public authorities concerning similar personal data processing activities? | No, there is little to no practice of requesting information on the personal data from small & medium business. |
| Has the importer received requests from public authorities for information disclosure in similar cases of personal data processing over the last five years? | No |
| Detailed information on the legislation in the country of importer |
https://edpb.europa.eu/system/files/2022-01/legalstudy_on_government_access_0.pdf https://www.dataguidance.com/notes/armenia-data-protection-overview |
| The assessment of risk to the rights and freedoms of data subjects where public authorities have access to the transferred personal data | Very low |
| The assessment of the probability of risk occurrence based on the nature of data and past experience of the importer | Very low |
| Safeguards | |
| A legal ground (guarantees/exceptions) on the basis of which it is intended to transfer personal data to the importer | Standard Contractual Clauses |
| Are data encrypted during the transfer? | Yes |
| Does the data importer gain access to the source (unencrypted) data? | Yes |
| Is it possible to carry out anonymisation / encryption (without transfer of access key to the importer) of personal data prior to their transfer to the importer taking into account purposes of the processing? | No |
| Is it possible to carry out pseudonymisation of personal data prior to the transfer? | No |
| Other organisational and technical measures taken to address the identified risks to the rights and freedoms of data subjects | Individual access control on need-to-know-basis, encryption in-transit and in-rest, NDAs, policies and instructions, vendor management, trainings and audits, security scanning, threat detection, pentests, physical security. |
| Decision | |
| Can the company perform transfer? | Yes |
| If any special or additional safeguards need to be implemented? | N/A |