GDPR

Cross-Border Data Transfers After Schrems II

6 min readUpdated 13 May 2026

Transferring personal data from the EU to countries without an EU adequacy decision — including the United States — requires a valid transfer mechanism under GDPR Chapter V. After the Schrems II ruling in 2020, the legal landscape shifted dramatically. This guide explains the current state of lawful EU data transfers and what your company needs to have in place.

Why International Transfers Are Regulated

GDPR restricts transfers of personal data outside the EU/EEA because the protection it guarantees should not be lost just because data crosses a border. A transfer to a country whose laws do not protect personal data equivalently is treated as a compliance failure.

Most SaaS companies transfer data internationally without realising it. Using AWS us-east-1 to store user data is a US transfer. Using Salesforce (US company) as your CRM is a transfer. Using Slack is a transfer. Every third-party US SaaS tool you use as a sub-processor is a transfer that needs a valid mechanism.

The Current Transfer Mechanisms

1. Adequacy Decisions

The European Commission has determined that some countries provide essentially equivalent protection to the EU. Transfers to these countries require no additional mechanism.

Countries with adequacy decisions (as of 2026): Andorra, Argentina, Canada (commercial organisations — PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay, and — since July 2023 — the United States under the EU-US Data Privacy Framework (DPF).

United States: The DPF replaced the invalidated Privacy Shield. Transfers to DPF-certified US companies can rely on the adequacy decision. However, DPF certification is voluntary — check whether your US vendor is DPF-certified at the official DPF list. Non-certified US companies still require SCCs.

2. Standard Contractual Clauses (SCCs)

SCCs are the most widely used transfer mechanism for transfers to countries without adequacy decisions. They are pre-approved contract clauses issued by the European Commission that bind the data importer to GDPR-equivalent protections.

The current SCCs (issued June 2021) replaced the old SCCs and introduced a modular structure:

  • Module 1: Controller to controller transfers
  • Module 2: Controller to processor transfers
  • Module 3: Processor to processor transfers (sub-processor chains)
  • Module 4: Processor to controller transfers

Important: SCCs alone are not sufficient in all cases. After Schrems II, you must also conduct a Transfer Impact Assessment (TIA) to evaluate whether the laws of the destination country undermine the SCCs' protections — particularly government surveillance access to data.

3. Binding Corporate Rules (BCRs)

BCRs allow multinational groups to transfer data between entities within the same corporate group. They require approval by a lead supervisory authority and are only practical for large enterprises. Not relevant for most SaaS startups.

4. Derogations (Article 49)

Limited exceptions apply for specific situations: explicit consent for occasional transfers, contractual necessity, vital interests, or important public interest reasons. These cannot be used as a general substitute for SCCs — they are genuinely for occasional, non-systematic transfers.

Transfer Impact Assessments (TIAs)

After the CJEU's Schrems II ruling, the European Data Protection Board (EDPB) requires that companies relying on SCCs for US transfers assess whether US surveillance laws — particularly FISA 702 and Executive Order 12333 — undermine the SCCs' protections.

A TIA involves:

  1. Identify the transfer: Who is the importer? What data is being transferred?
  2. Identify the relevant laws: What are the surveillance and access laws in the destination country?
  3. Assess practical impact: Is there a realistic risk that surveillance authorities will access this specific data? (Factors: type of data, type of importer, volume, sensitivity)
  4. Determine whether SCCs are effective: If the laws effectively undermine the SCCs, supplementary measures are needed or the transfer should not proceed
  5. Implement supplementary measures if needed: Encryption (with keys held in the EU), pseudonymisation, anonymisation, architectural changes

For most commercial B2B SaaS data transferred to US cloud providers, a TIA will typically conclude that the risk of government access is low given the non-sensitive commercial nature of the data — but this assessment must be documented.

Practical Steps for Most SaaS Companies

Map your transfers

Identify every service provider that processes personal data and where their servers are located. Pay attention to:

  • Cloud infrastructure (AWS, GCP, Azure — check region settings)
  • Email and communication tools
  • CRM and marketing tools
  • Analytics platforms
  • Support tools
  • Payment processors
  • Any US-based API you call that processes user data

Check for adequacy

Is each destination country on the adequacy list? If yes (UK, Switzerland, Japan, Canada, etc.), no further mechanism is needed.

For US companies: are they DPF-certified? Check the DPF list.

Implement SCCs for remaining transfers

For non-adequacy, non-DPF transfers, execute the appropriate SCC module with the vendor. Most major vendors provide their SCCs in their settings portal or legal documentation section.

Complete Transfer Impact Assessments

For each SCC-based transfer to the US, document a brief TIA. For standard commercial SaaS tools processing business data, this can be a relatively short document, but it must exist.

Update your privacy notice

Disclose all international transfers, the countries they go to, and the mechanisms used.

The EU-US Data Privacy Framework: Is It Safe?

The DPF was challenged almost immediately after its adoption in 2023. Privacy advocacy groups, including those associated with Max Schrems, have indicated intent to challenge it at the CJEU.

The practical implication: the DPF may not be permanent. Companies that rely solely on DPF certification for US transfers are exposed if it is invalidated again (as Privacy Shield was in 2020). Implementing SCCs alongside DPF provides belt-and-suspenders protection.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module