OneTrust announced today enhancements to our range of Schrems II Solutions to help organisations comply with the European Data Protection Board’s (EDPB) recommendations on measures that supplement transfer tools following the Schrems II decision. OneTrust’s Schrems II Solutions help both EU exporters and importers comply with the latest EDPB guidance. 

Register for the webinar: Schrems II Fallout Continued: Finalised EDPB Recommendations Released  

In July 2020, the Court of Justice of the European Union (CJEU) ruled on the Schrems II case, invalidating the EU-US Privacy Shield. This decision required many organisations to evaluate alternative data transfer mechanisms to comply with personal data transfer requirements under the GDPR. In November, along with the release of a set of revised Standard Contractual Clauses (SCCs) by the European Commission, the EDPB released draft guidelines on “supplementary measures” to ensure compliance with the EU’s level of personal data protection when transferring personal data from the EU to a third country. Today, the EDPB finalised those guidelines after a public consultation period. 

The EDPB guidelines provide a roadmap data exporters can follow to ensure that personal data transfers are lawful and that they satisfy the GDPR’s accountability principle under Article 5(2). They also outline a set of contractual, organisational, and technical measures that can be implemented with the support of data importers to bring the data protection standards in line with the EU’s level of protection when transferring data to a third country. The key updates to this guidance include the following: 

  • Exporters should recognise the importance of examining third country public authorities’ practices in their legal assessments to help determine whether the legislation or practices hinder the effectiveness of the Article 46 transfer tool. 
  • Exporters may want to consider the practical experience of the importer when carrying out their assessments. 
  • The effectiveness of the data transfer tool may be affected by the legislation of the third country destination allowing its authorities to access the transferred data, even without the importer’s intervention. 

Operationalise the EDPB Guidelines with OneTrust Schrems II Solutions

OneTrust is helping both data exporters and importers operationalise the EDPB’s finalised guidelines with an enhanced set of tools, guidance, and templates live in the platform today. 

For data exporters, OneTrust’s Schrems II Solutions help carry out the EDPB’s six step roadmap, including pre-built templates to assess third countries, perform Transfer Impact Assessments (TIAs), and evaluate the effectiveness of supplementary measures. OneTrust helps exporters: 

  • Map Transfers: Centrally document and visualise all cross-border transfers, related data importers, and the third countries involved. 
  • Verify Transfer Tool: Document and verify the transfer mechanism for each transfer, enabling a risk-based approach to prioritise further analysis. 
  • Assess Effectiveness: Leverage pre-built templates and research to carry out Transfer Impact Assessments (TIAs) in collaboration with the data importer to determine if the documented transfer tool is effective in the context of each transfer. 
  • Adopt Measures: If the transfer tool is deemed ineffective, use pre-built templates based on the EDPB guidelines to determine the technical, contractual, or organisational supplementary measures that can be adopted. 
  • Update Contracts: Action any necessary steps from the analysis, such as updating contracts and implementing technical controls. 
  • Monitor and Revaluate: Monitor third-country developments and evaluate new transfers to ensure that supplementary measures remain effective and data importers honour their commitments 

For data importers, OneTrust helps operationalise privacy and security programs through the OneTrust privacy, security, and data governance platform, ensuring that the proper operational processes, technical controls, and compliance mechanisms have been implemented across the organisation. In addition to these foundational elements, OneTrust provides solutions to help data importers with specific operational challenges of Schrems II and the EDPB guidelines, including: 

  • Third Country Assessments: Prepare for requests from data exporters by proactively assessing third countries with pre-built assessment templates and third-country comparison from OneTrust DataGuidance 
  • Transparency Reporting: Be transparent about government surveillance requests by creating, managing, and centrally hosting a Transparency Report as part of your privacy policy 
  • Assessment Response Automation: Streamline response to the increased volume of Transfer Impact Assessments from data exporters by answering questions once to create a central answer bank, and then auto-applying those answers to subsequent questionnaires using AI and NLP technology 

Register for the webinar: Schrems II Fallout Continued: Finalised EDPB Recommendations Released 

“The EDPB’s final guidance on supplementary measures sets clear benchmarks for organisations as they work towards safe and reliable data transfers following the Schrems II decision and the invalidation of the EU-US Privacy Shield,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP). “OneTrust’s expanded range of solutions, research, and guidance will help organisations comply with these guidelines and better operationalise their privacy program.” 

For information on how OneTrust can support compliance with the Schrems II decision and the EDPB’s latest guidance, visit 

OneTrust, OneTrust Schrems II Solutions, and OneTrust DataGuidance are registered trademarks or trademarks of OneTrust LLC or its subsidiaries in the United States and other jurisdictions.    


About OneTrust 

OneTrust is the #1 fastest-growing company on Inc. 500 and the category-defining enterprise platform to operationalize trust. More than 10,000 customers, including half of the Fortune Global 500, use OneTrust to make trust a competitive differentiator, implementing central agile workflows across privacy, security, data governance, GRC, third-party risk, ethics and compliance, and ESG programs. 

The OneTrust platform is backed by 150 patents and powered by the OneTrust Athena™ AI and robotic automation engine, and capabilities include: 

  • OneTrust Privacy - Privacy Management Software 
  • OneTrust DataDiscovery™ - AI-Powered Discovery and Classification 
  • OneTrust DataGovernance™ - Data Intelligence Software 
  • OneTrust Vendorpedia™ - Third-Party Risk Exchange 
  • OneTrust GRC - Integrated Risk Management Software 
  • OneTrust Ethics - Ethics and Compliance Software 
  • OneTrust PreferenceChoice™ - Consent and Preference Management Software 
  • OneTrust ESG – Environmental, Social & Governance Software 

OneTrust has raised a total of $920 million in funding at a $5.3 billion valuation from Insight Partners, Coatue, TCV, SoftBank Vision Fund 2, and Franklin Templeton. OneTrust’s fast-growing team of 2,000 employees is co-headquartered in Atlanta and London with additional offices in Bangalore, Melbourne, Denver, Seattle, San Francisco, New York, São Paulo, Munich, Paris, Hong Kong, and Bangkok. 

To learn more, visit or connect on LinkedIn, Twitter, and YouTube.