Take control over your data. Create or revoke encryption keys, choose your environment for deployment, and build organizational measures by default using updated Standard Contractual Clauses (SCCs).
Operationalize the steps you must take and the additional safeguards you must apply to legally transfer personal data from the EU to a third country.
Take control over your data. Create or revoke encryption keys, choose your environment for deployment, and build organizational measures by default using updated Standard Contractual Clauses (SCCs).
Minimize data privacy risks with pre-built templates based on EDPB guidelines to determine needed supplementary measures. Track implemented controls and contact updates with a centralized vendor record.
Monitor third countries and evaluate new transfers to ensure that supplementary measures remain effective. Manage the full third-party vendor lifecycle, including onboarding and offboarding.
Generate transparency reports, SCCs, and other privacy documentation with editable templates and publish them to the Third-Party Risk Exchange, making it visible to other organizations.
Streamline TIAs by centralizing assessments and using AI to automatically fill in new questionnaires based on your responses.
The Schrems II decision had a significant impact on how companies manage transatlantic data transfers. We cover some of the basics below.
The Schrems II decision is named after Max Schrems, an Austrian privacy advocate who raised concerns over the US’s surveillance laws and Facebook Ireland’s use of Europeans’ personal data. A previous case involving Schrems, known as “Schrems I,” invalidated the Privacy Shield’s predecessor, the Safe Harbor mechanism.
After the Schrems II decision, the European Data Protection Board (EDPB) published a roadmap to help organizations comply with EU law and ensure safe transfer of personal data. Among other things, the EDPB suggests that companies assess the third countries that they are transferring data to and determine if their privacy laws are sufficient. If a third country does not provide an adequate level of data protection, then companies should take supplementary measures and additional safeguards, such as establishing SCCs, binding corporate rules (BCRs), or ad-hoc contractual causes.
OneTrust helps by operationalizing Schrems II requirements. From a single platform you can automatically map data, assess vendors and third countries, and control policies and documentation. You can also stay up to date with the latest regulatory changes with DataGuidance, our regulatory research center built by legal experts from around the world.