PolicifyAI
Back to Blog

PolicifyAI

Published December 2025 · 11 min read

GDPR

Cross-Border Data Transfers After Schrems II: What You Need to Know

Transferring personal data outside the EU or UK? Standard Contractual Clauses, adequacy decisions, and Transfer Impact Assessments explained.

What Schrems II Changed

In July 2020, the CJEU invalidated the EU-US Privacy Shield framework, finding that US surveillance law did not provide EU data subjects with adequate protection. The ruling removed the most convenient transfer mechanism and placed the burden on organisations to assess every transfer to a third country.

Standard Contractual Clauses: The Primary Tool

The European Commission issued new Standard Contractual Clauses (SCCs) in June 2021, replacing outdated versions. The new SCCs are modular — covering controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. You must also conduct a Transfer Impact Assessment (TIA) before relying on SCCs.

Transfer Impact Assessments

A TIA must evaluate:

  • The nature of the data being transferred and the risks to data subjects
  • The laws and practices of the destination country regarding government access to data
  • Whether the importer can comply with the SCCs in light of those laws
  • What supplementary measures are needed to bring protection up to EU standards

Adequacy Decisions: The Simpler Path

Where the Commission has issued an adequacy decision, transfers can proceed without SCCs. Current adequacy decisions cover the UK, Japan, South Korea, New Zealand, Canada (commercial), and Switzerland. The EU-US Data Privacy Framework (July 2023) restored a form of adequacy for self-certified US companies. The UK-US Data Bridge (October 2023) provides an equivalent mechanism for UK-to-US transfers.

Supplementary Measures

Where a TIA identifies risks, the most effective technical measure is end-to-end encryption where the importer holds no decryption keys. Pseudonymisation, data minimisation, and contractual measures can also contribute but rarely suffice alone.

Practical Steps for Compliance

  • Map all third-country data transfers — include every SaaS tool and cloud provider
  • Replace old-form SCCs with the 2021 SCCs immediately
  • Conduct and document a TIA for each transfer destination
  • Check whether the EU-US DPF or UK-US Data Bridge applies to your US vendors
  • Implement encryption for transfers to jurisdictions with surveillance risks
  • Review transfer mechanisms annually and whenever adequacy decisions change

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles