Take control over your data. Create or revoke encryption keys, choose your environment for deployment, and build organizational measures by default using updated Standard Contractual Clauses (SCCs).
On-demand webinar coming soon...
Operationalize the steps you must take and the additional safeguards you must apply to legally transfer personal data from the EU to a third country.
Take control over your data. Create or revoke encryption keys, choose your environment for deployment, and build organizational measures by default using updated Standard Contractual Clauses (SCCs).
Document and visualize international data flows, data importers, and the third countries involved. Assess third countries, identify those without adequate protection, and send additional TIAs to vendors as necessary. Access vendor transparency reports, certifications, and pre-filled TIAs from the OneTrust platform.
Minimize data privacy risks with pre-built templates based on EDPB guidelines to determine needed supplementary measures. Track implemented controls and contact updates with a centralized vendor record.
Monitor third countries and evaluate new transfers to ensure that supplementary measures remain effective. Manage the full third-party vendor lifecycle, including onboarding and offboarding.
Generate transparency reports, SCCs, and other privacy documentation with editable templates and publish them to the Third-Party Risk Exchange, making it visible to other organizations.
Streamline TIAs by centralizing assessments and using AI to automatically fill in new questionnaires based on your responses.
The Schrems II decision had a significant impact on how companies manage transatlantic data transfers. We cover some of the basics below.
It is a ruling made by the Court of Justice of the European Union (CJEU) in July 2020 that invalidated the EU-US Privacy Shield. As a result, organizations must find alternative data transfer mechanisms to comply with General Data Protection Regulation’s (GDPR) data privacy requirements. Standard contractual clauses (SCCs) can still be valid under the GDPR but would have to be assessed on a case-by-case basis.
The Schrems II decision is named after Max Schrems, an Austrian privacy advocate who raised concerns over the US’s surveillance laws and Facebook Ireland’s use of Europeans’ personal data. A previous case involving Schrems, known as “Schrems I,” invalidated the Privacy Shield’s predecessor, the Safe Harbor mechanism.
After the Schrems II decision, the European Data Protection Board (EDPB) published a roadmap to help organizations comply with EU law and ensure safe transfer of personal data. Among other things, the EDPB suggests that companies assess the third countries that they are transferring data to and determine if their privacy laws are sufficient. If a third country does not provide an adequate level of data protection, then companies should take supplementary measures and additional safeguards, such as establishing SCCs, binding corporate rules (BCRs), or ad-hoc contractual causes.
OneTrust helps by operationalizing Schrems II requirements. From a single platform you can automatically map data, assess vendors and third countries, and control policies and documentation. You can also stay up to date with the latest regulatory changes with DataGuidance, our regulatory research center built by legal experts from around the world.
When we collect your personal information, we always inform you of your rights and make it easy for you to exercise them. Where possible, we also let you manage your preferences about how much information you choose to share with us, or our partners.
© 2025 OneTrust, LLC. All Rights Reserved.
On-demand webinar coming soon...