Skip to main content

On-demand webinar coming soon...

Schrems II Compliance

Streamline adoption of supplementary measures to achieve Schrems II compliance

Operationalize the steps you must take and the additional safeguards you must apply to legally transfer personal data from the EU to a third country. 

Schrems II compliance

Secure, custom controls for data exporters and importers

Take control over your data. Create or revoke encryption keys, choose your environment for deployment, and build organizational measures by default using updated Standard Contractual Clauses (SCCs). 

Document and visualize international data flows, data importers, and the third countries involved. Assess third countries, identify those without adequate protection, and send additional TIAs to vendors as necessary. Access vendor transparency reports, certifications, and pre-filled TIAs from the OneTrust platform. 

Minimize data privacy risks with pre-built templates based on EDPB guidelines to determine needed supplementary measures. Track implemented controls and contact updates with a centralized vendor record. 

Monitor third countries and evaluate new transfers to ensure that supplementary measures remain effective. Manage the full third-party vendor lifecycle, including onboarding and offboarding. 

Generate transparency reports, SCCs, and other privacy documentation with editable templates and publish them to the Third-Party Risk Exchange, making it visible to other organizations.  

Streamline TIAs by centralizing assessments and using AI to automatically fill in new questionnaires based on your responses.  

August 21, 2024

Transforming your data privacy and AI strategy with OneTrust

Join us for a live demo where we will discuss the advanced capabilities of OneTrust solutions in data privacy enforcement, first-party data collection, and AI innovation.

Play arrow icons on a green background.


The Schrems II decision had a significant impact on how companies manage transatlantic data transfers. We cover some of the basics below. 

It is a ruling made by the Court of Justice of the European Union (CJEU) in July 2020 that invalidated the EU-US Privacy Shield. As a result, organizations must find alternative data transfer mechanisms to comply with General Data Protection Regulation’s (GDPR) data privacy requirements. Standard contractual clauses (SCCs) can still be valid under the GDPR but would have to be assessed on a case-by-case basis. 

The Schrems II decision is named after Max Schrems, an Austrian privacy advocate who raised concerns over the US’s surveillance laws and Facebook Ireland’s use of Europeans’ personal data. A previous case involving Schrems, known as “Schrems I,” invalidated the Privacy Shield’s predecessor, the Safe Harbor mechanism. 

After the Schrems II decision, the European Data Protection Board (EDPB) published a roadmap to help organizations comply with EU law and ensure safe transfer of personal data. Among other things, the EDPB suggests that companies assess the third countries that they are transferring data to and determine if their privacy laws are sufficient. If a third country does not provide an adequate level of data protection, then companies should take supplementary measures and additional safeguards, such as establishing SCCs, binding corporate rules (BCRs), or ad-hoc contractual causes. 

We operationalize the requirements through our Privacy and Data Governance Cloud. From a single platform you can automatically map data, assess vendors and third countries, and control policies and documentation. You can also stay up to date with the latest regulatory changes with DataGuidance, our regulatory research center built by legal experts from around the world. 

Ready to get started?

Request a free demo today to see how OneTrust can guide your trust transformation journey.