Schrems II

Deadlines and penalties are approaching with the European Union decision known as Schrems II. We help global organizations manage these changes and challenges.

The Schrems II decision invalidated Privacy Shield — a common way to legally transfer personal data from the EU to the US used by thousands of companies with operations in the US. These organizations now have a tight timeline to identify a new transfer mechanism or risk fines of up to 4 percent of worldwide revenue. Many of these companies are turning to Standard Contractual Clauses, which just got an overhaul by the European Commission.

Given the huge amount of data flowing between the EU and US, enterprises are scrambling to understand how to accommodate all the legal changes and potentially manage updates to volumes of vendor contracts.

For more about Schrems II data transfer trends, view the recent webinar with Jill Abitbol, senior editor from Cybersecurity Law Report.

We’ve designed our approach around the EDPB’s six-step roadmap for data transfers: 

European Data Protection Board’s six-step roadmap for data transfers

Schrems II Roadmap - Step 1

Know your transfers

Schrems II Roadmap - Step 2

Identify transfer tools

Schrems II Roadmap - Step 3

Assess effectiveness of transfer tools

Schrems II Roadmap - Step 4

Adopt supplementary measures

Schrems II Roadmap - Step 5

Take procedural steps

Schrems II Roadmap - Step 6

Re-evaluate at appropriate intervals

Source: Recommendations by the European Data Protection Board, adopted on Nov 10, 2020

Trusted privacy experts + award-winning legal professionals

Unlike other privacy consultants, we partner with global law firms such as Taylor Wessing, covering dozens of jurisdictions with 1000s of lawyers to give you the best possible solution for your transfer needs.

Key impacts of Schrems II

To stay compliant with EU data privacy laws, organizations must:

New SCCs must be implemented within 3 months after publication on any new transfer (e.g., by September 2021). There is only an 18-month period to update all existing vendors to the new SCCs.

This unbudgeted burden falls on under-resourced contract management teams who are saddled with outdated vendor management processes and potentially poor vendor data. Costs will climb as the need for legal assistance grows. Plus, you will need to keep your executives in the loop about possible significant disruptions to the business.

How we help

As experienced privacy project managers, we use a proprietary methodology to help rapidly respond to the near-term problems of:

Our process can help future-proof the vendor management process and applicable systems in anticipation of additional changes to privacy requirements that will likely occur in future. We’ll help you capture where personal data is transferred, assess data transfers for permissibility, and see to it that internal and external stakeholders are engaged throughout the process.


Have questions about the Schrems II decision or the new SCCs? Let us help.