GDPR Data Transfers Post-Schrems II: A Practical Guide
Navigate international data transfers after Schrems II with practical guidance on Transfer Impact Assessments, Standard Contractual Clauses, and supplementary measures.
The Post-Schrems II Landscape
The Court of Justice of the European Union's Schrems II decision in July 2020 fundamentally changed how organizations approach international data transfers. Privacy Shield was invalidated, and Standard Contractual Clauses (SCCs)—while still valid—now require case-by-case assessment of their effectiveness.
This guide provides practical steps for organizations navigating international data transfers in the current regulatory environment.
Understanding What's Required
The Transfer Mechanism Hierarchy
1. Adequacy Decisions Countries with EU-recognized adequate protection. Transfers can proceed without additional mechanisms.
Current adequacy countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay.
For the US: The EU-US Data Privacy Framework (DPF) provides an adequacy path, but only for US organizations that have self-certified to the DPF.
2. Standard Contractual Clauses (SCCs) Pre-approved contractual terms adopted by the European Commission. The 2021 SCCs replaced earlier versions.
3. Binding Corporate Rules (BCRs) For intra-group transfers in multinational organizations. Requires supervisory authority approval.
4. Derogations Narrow exceptions for specific situations (consent, contract, legal claims, etc.). Not suitable for systematic transfers.
Transfer Impact Assessments (TIAs)
Why TIAs Are Required
Schrems II established that SCCs alone don't guarantee adequate protection. Organizations must assess whether the destination country's legal framework allows the SCCs to provide effective protection in practice.
TIA Process
Step 1: Map Your Transfers
For each transfer, document: - What personal data is transferred - Purpose of the transfer - Who is the importer (controller or processor) - Destination country - Current transfer mechanism
Step 2: Assess Destination Country Laws
Evaluate: - Government access to personal data (surveillance laws) - Scope of access powers - Oversight mechanisms (judicial, independent authority) - Data subject remedies - Rule of law indicators
Step 3: Evaluate Effective Protection
Ask: - Can the importer comply with the SCCs given local laws? - Are there practical obstacles to exercising contractual rights? - Is there a realistic risk of government access that would undermine protection?
Step 4: Identify Supplementary Measures
If laws may impinge on SCC effectiveness, identify measures to fill the gaps:
| Measure Type | Examples | |--------------|----------| | Technical | Strong encryption (you hold keys), pseudonymization, split processing | | Organizational | Internal policies limiting access, audit rights, transparency reporting | | Contractual | Additional commitments, notification requirements, challenge provisions |
Step 5: Document and Decide
- Document your assessment and reasoning - If effective protection is possible, proceed with transfer - If not, consider alternatives (EU processing, different destination, no transfer)
The 2021 Standard Contractual Clauses
The Modular Approach
The 2021 SCCs use a modular structure:
| Module | Scenario | |--------|----------| | Module 1 | Controller to controller | | Module 2 | Controller to processor | | Module 3 | Processor to processor | | Module 4 | Processor to controller |
Select the module(s) matching your transfer scenario.
Implementation Steps
1. Identify the Correct Module - Who is the exporter (controller or processor)? - Who is the importer (controller or processor)?
2. Complete the Annexes
Annex I: Parties, description of transfer, competent supervisory authority Annex II: Technical and organizational measures Annex III: List of sub-processors (if applicable)
3. Execute the Clauses - Signed by authorized representatives - Retain executed copies
4. Conduct TIA - SCCs require this in Clause 14 - Document and retain assessment
5. Implement Supplementary Measures - If TIA identifies gaps - Document what measures address what risks
Special Considerations by Destination
United States
Option A: Data Privacy Framework - Verify importer is DPF-certified (check DPF website) - TIA not required for DPF-covered transfers - Confirm certification is current
Option B: SCCs for non-DPF recipients - Conduct TIA considering US surveillance laws (FISA 702, EO 12333) - Evaluate new safeguards under EO 14086 - Consider technical measures (encryption, data minimization) - Document assessment
United Kingdom
- UK has adequacy decision—transfers can proceed freely - Monitor for changes (adequacy reviewed periodically)
Other Countries
- Research surveillance and access laws - Consider EDPB guidance on third-country assessments - Consult legal counsel for complex scenarios
Practical Challenges and Solutions
Cloud Services
Most major cloud providers: - Offer SCCs as part of their DPA - Provide TIA documentation/questionnaires - Offer regional data residency options
Action steps: - Review cloud provider's data processing terms - Confirm SCCs are in place - Obtain their TIA assistance documentation - Consider data residency options for sensitive data
Group Companies
For intra-group transfers: - SCCs can cover multiple group entities - Consider BCRs for systematic intra-group transfers - Conduct TIA for each destination country
Sub-Processors
When your processor uses sub-processors in third countries: - Module 3 SCCs (processor-to-processor) - Your TIA should cover sub-processor countries - Ensure processor's contract addresses sub-processor transfers
Maintaining Compliance
Ongoing Monitoring
- Monitor legal developments in destination countries - Watch for EDPB guidance updates - Track adequacy decision reviews - Reassess TIAs when circumstances change
Documentation Requirements
Maintain records of: - Transfer inventory - Executed SCCs - TIAs for each destination - Supplementary measures implemented - Review dates and findings
When to Reassess
- New legislation in destination country - Relevant court decisions - Guidance from supervisory authorities - Changes in your transfer arrangements - Recommended: at least annually
Common Mistakes to Avoid
Assuming SCCs are sufficient alone Post-Schrems II, SCCs require accompanying TIA.
Ignoring processor transfers Your processors may transfer data to sub-processors in third countries.
One-size-fits-all TIAs Each destination country needs specific assessment.
Outdated SCCs The 2021 SCCs replaced earlier versions. Ensure you're using current clauses.
Inadequate technical measures Encryption is only effective if you control the keys.
Related Resources
- [GDPR Cross-Border Data Transfers](/kb/gdpr-cross-border-data-transfers) - [GDPR Legal Basis for Processing Personal Data](/kb/gdpr-legal-basis-for-processing-personal-data) - [GDPR Data Protection Impact Assessment (DPIA)](/kb/gdpr-data-protection-impact-assessment-dpia)
This article provides general guidance on international data transfers. Legal requirements vary by jurisdiction and circumstances. Consult with qualified legal counsel for advice specific to your organization.
Ready to Transform Your Compliance Practice?
See how GRCTrack can streamline your assessments, improve client collaboration, and reduce time-to-completion.