{"id":2602,"date":"2022-12-14T10:45:00","date_gmt":"2022-12-14T16:45:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2602"},"modified":"2025-05-13T14:17:45","modified_gmt":"2025-05-13T19:17:45","slug":"gdpr-schrems-ii-compliance-checklist","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/","title":{"rendered":"GDPR and Schrems II Compliance Checklist"},"content":{"rendered":"\t\t<section id=\"block_d3f2a559744e67e8de5798625fd1656d\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>GDPR and Schrems II Compliance Checklist<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_62548f0ca5e569ecdd798e24ffa93154\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t<div class=\"person-wrap\">\n\t\t\t<span>\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"110\" height=\"110\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/people-placeholder-lt-blue.png\" class=\"attachment-full size-full wp-post-image\" alt=\"\" \/>\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t<strong class=\"block name\">Annie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>Businesses managing international data transfers containing personal data of individuals in the European Union (EU) and\/or European Economic Area (EEA) to countries outside the EU must address the EU\u2019s General Data Protection Regulation and Schrems II compliance requirements.<\/p>\n<p>After the Schrems II decision on\u00a0July 16, 2020, U.S. businesses could no longer use the EU\u2013U.S. Privacy Shield for international data transfers because it was invalidated.<\/p>\n<p><strong>While a new Trans-Atlantic Data Privacy Framework was agreed in principle in March 2022, it has not been enacted.\u00a0<\/strong><\/p>\n<p>U.S. businesses are essentially on the same <a href=\"\/regulations\/gdpr\/\">GDPR<\/a> footing as any business operating in another country (any country not a member of the EU or EEA).<\/p>\n<p><a href=\"https:\/\/blog.trustarc.com\/2022\/04\/26\/eu-standard-contractual-clauses\/\" target=\"_blank\" rel=\"noopener\">Standard Contractual Clauses (SSCs)<\/a>\u00a0that were modernized after the Schrems II decision can be used to manage international data transfers from controllers or processors in the EU to their counterparts in other countries.<\/p>\n<h3>Schrems II compliance: expiry dates for older SCCs<\/h3>\n<p>The European Commission issued new SCCs under the GDPR for international data transfers on June 4, 2021.<\/p>\n<p><strong>Keep in mind that if your organization had any older SCCs already in place before June 4, 2021, the following expiry dates were set:<\/strong><\/p>\n<ul>\n<li>September 27, 2021 \u2013 from this date it was no longer possible to conclude contracts incorporating older sets of SCCs.<\/li>\n<li>December 27, 2022 \u2013 until now, controllers and processors could still rely on earlier SCCs for contracts concluded before September 27, 2021, if the processing operations described in the contract were unchanged.<\/li>\n<\/ul>\n<p>Below is a checklist of the main considerations for GDPR and Schrems II compliance before transferring any personal data from the EU.<\/p>\n<h2>Confirm GDPR and Schrems II compliance rules apply<\/h2>\n<p>The Schrems II case considered whether the use of SCCs could adequately protect the privacy of EU\/EEA citizens during international data transfers.<\/p>\n<p>In the final decision on SCCs, the Court of Justice of the European Union<strong>\u00a0ruled any SCC used for transfers of EU\/EEA citizens\u2019 personal data from the EU to other countries must result in an essentially equivalent level of protection of citizens\u2019 personal data to the protections provided in the EEA.<\/strong><\/p>\n<p>The court was extremely clear that if a company handles any personal data of any citizen in the EU or EEA \u2013 whether as a controller or a processor, or both \u2013 then GDPR compliance is essential.<\/p>\n<p>Under the GDPR, processing is defined as \u201cany operation or set of operations which is performed on personal data or on sets of personal data\u201d (GDPR Article 4(2)).<\/p>\n<p>A controller is defined as any entity that \u201cdetermines the purposes and means of the processing of personal data\u201d.<\/p>\n<h2>Ensure all parties in the data transfer meet the SCC requirements<\/h2>\n<p>Since the Schrems II decision, all organizations involved in international data transfers from the EU must prove they can meet all requirements of any SCCs they use.<\/p>\n<p>This applies equally to exporters of data from the EU and importers of data in other countries.<\/p>\n<p>Data importers must also confirm they will respect the core principles under the GDPR. The principles relating to processing of personal data are explained in GDPR Article 5:<\/p>\n<ul>\n<li>Lawfulness, fairness and transparency<\/li>\n<li>Purpose limitation (specified, explicit and legitimate purposes)<\/li>\n<li>Data minimization (the minimum amount of data needed for the purpose)<\/li>\n<li>Accuracy<\/li>\n<li>Storage limitation (kept no longer than is necessary for the purpose)<\/li>\n<li>Integrity and confidentiality (suitably secured)<\/li>\n<li><a href=\"https:\/\/trustarc.com\/resource\/gdpr-accountability-handbook\/\" target=\"_blank\" rel=\"noopener\">Accountability<\/a> \u2013 note: this principle also applies to controllers.<\/li>\n<\/ul>\n<h2>Conduct a data transfer risk assessment<\/h2>\n<p>Two weeks after the European Commission issued the new SCCs aimed at improving GDPR compliance, addressing issues raised by Schrems II, the\u00a0European Data Protection Board (EDPB) adopted its\u00a0<a href=\"https:\/\/edpb.europa.eu\/sites\/default\/files\/consultation\/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf\">final recommendations<\/a>\u00a0for international data transfers.<\/p>\n<p>&nbsp;<\/p>\n\t\t\t\t\t\t\t\t<div class=\"wide-img\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/data-transfers-flow.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/data-transfers-flow.png 1320w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/data-transfers-flow-300x163.png 300w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/data-transfers-flow-1024x557.png 1024w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/data-transfers-flow-768x418.png 768w\" sizes=\"(max-width: 1320px) 100vw, 1320px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<p>These recommendations set out a six-step roadmap to help organizations make data transfer risk assessments when considering transferring personal data from the EU:<\/p>\n<ol>\n<li><b>Know your transfers<\/b>\u00a0\u2013 reassess all data processing operations.<\/li>\n<li><b>Identify the tools you are relying on<\/b>\u00a0\u2013 review adequacy decisions, derogations and GDPR Article 46 transfer tools such as SCCs and binding corporate rules (BCRs).<\/li>\n<li><b>Assess appropriate safeguards<\/b>\u00a0\u2013 consider the circumstances of the transfer, including relevant legislation in the importing country, and decide which instrument\/s will be most effective.<\/li>\n<li><b>Adopt supplementary measures<\/b>\u00a0\u2013 organizations typically need to adopt organizational, contractual and technical measures to ensure data security.<\/li>\n<li><b>Get data processing agreement (DPA) approval<\/b>\u00a0\u2013 some transfer mechanisms (such as BCRs and ad hoc clauses) will require DPA approval.<\/li>\n<li><b>Review and update<\/b>\u00a0\u2013 commit to regularly reviewing your policies, tools, systems and processes for all activities related to GDPR compliance.<\/li>\n<\/ol>\n<h3>Assess surveillance laws in other countries<\/h3>\n<p>Since the Schrems II decision, all data importers and exporters must also assess the data legislation of importing countries, before concluding the SCCs.<\/p>\n<p>Data importers must verify the data laws in their country will not prevent them from meeting SCC requirements.<\/p>\n<p>If the data could be subject to surveillance laws that may interfere with a data subject\u2019s supplemental rights (such as the right to be informed, the right of access and the right be forgotten), then the transfers cannot be made based on SCCs.<\/p>\n<h3>Will any personal data be transferred from the EU to the U.S.?<\/h3>\n<p>SCCs can be used for international transfers of personal data of EU\/EEA citizens from the EU to the U.S. on a case-by-case basis, provided the U.S. data importer is assessed as meeting all requirements of the SCCs.<\/p>\n<p>However, a key requirement of GDPR and Schrems II compliance is that SCCs cannot be used to allow the transfer of personal data from the EU to the U.S. if that data might be subject to collection and\/or access by U.S. authorities for national security purposes.<\/p>\n<h2>Remember the European essential guarantees for surveillance measures<\/h2>\n<p>After the Schrems I case, the European Data Protection Board (EDPB) published a new set of recommendations for international data transfers to ensure surveillance measures in any country would not have a negative influence on the protection of personal data and fundamental rights to privacy.<\/p>\n<p>The\u00a0<a href=\"https:\/\/edpb.europa.eu\/sites\/default\/files\/files\/file1\/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf\">EDPB recommendations published in February 2020<\/a>\u00a0\u2013 before the Schrems II decision \u2013 noted: \u201cthe applicable legal requirements to make the limitations to the data protection and privacy rights recognized by the Charter of Fundamental Rights of the EU justifiable can be summarized in four European Essential Guarantees\u201d:<\/p>\n<ul>\n<li>Guarantee A \u2013 processing should be based on clear, precise, and accessible rules.<\/li>\n<li>Guarantee B \u2013 necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.<\/li>\n<li>Guarantee C \u2013 an independent oversight mechanism should exist.<\/li>\n<li>Guarantee D \u2013 effective remedies need to be available to the individual.<\/li>\n<\/ul>\n<h2>TrustArc helps manage your GDPR and Schrems II compliance for international data transfers<\/h2>\n<p>TrustArc\u2019s expertise in data protection and privacy management helps organizations like yours identify your risks associated with international data transfers and manage compliance, including policy changes driven by landmark privacy cases such as the Schrems II decision.<\/p>\n<p>Our automated platform combines expert risk analysis and deep knowledge of regulatory compliance, including the GDPR, to keep your data transfer assessments up to date.<\/p>\n<a href=\"https:\/\/trustarc.com\/solutions\/international-data-transfers\/\" class=\"btn\"><span>Manage international data transfer risk<\/span><\/a>\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/compliance\/\" class=\"badge\">Compliance<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/gdpr\/\" class=\"badge\">GDPR<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>TrustArc\u2019s experts explain regulations for international data transfers, including standard contractual clauses, General Data Protection Regulation and Schrems II compliance.<\/p>\n","protected":false},"featured_media":1692,"template":"","topic-resource":[61,63],"type-resource":[6],"class_list":["post-2602","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-compliance","topic-resource-gdpr","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>GDPR and Schrems II Compliance Checklist | TrustArc<\/title>\n<meta name=\"description\" content=\"TrustArc\u2019s experts explain regulations for international data transfers, including standard contractual clauses, General Data Protection Regulation and Schrems II compliance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/\",\"name\":\"GDPR and Schrems II Compliance Checklist | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"datePublished\":\"2022-12-14T16:45:00+00:00\",\"dateModified\":\"2025-05-13T19:17:45+00:00\",\"description\":\"TrustArc\u2019s experts explain regulations for international data transfers, including standard contractual clauses, General Data Protection Regulation and Schrems II compliance.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/gdpr-schrems-ii-compliance-checklist\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-blue.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"GDPR and Schrems II Compliance Checklist | TrustArc","description":"TrustArc\u2019s experts explain regulations for international data transfers, including standard contractual clauses, General Data Protection Regulation and Schrems II compliance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/","url":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/","name":"GDPR and Schrems II Compliance Checklist | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","datePublished":"2022-12-14T16:45:00+00:00","dateModified":"2025-05-13T19:17:45+00:00","description":"TrustArc\u2019s experts explain regulations for international data transfers, including standard contractual clauses, General Data Protection Regulation and Schrems II compliance.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/gdpr-schrems-ii-compliance-checklist\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-blue.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1692"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2602"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2602"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}