Schrems II has significant implications for your organisation if you transfer personal data outside of the EEA. The deadline to identify, assess and remediate all existing contracts with the new Standard Contractual Clauses (“new SCCs”) is 27 December 2022.

We have outlined below the key steps to follow in the next few months to help you with this task. 

What happened?


The Schrems II Case led to the invalidation by the Court of Justice of the European Union (CJEU) of the Privacy Shield as a data transfer mechanism between the EU and the US. The invalidation of the EU-US Privacy Shield in July 2020 meant that all transfers relying on the Privacy Shield had to immediately cease. The case also scrutinised the effectiveness of the SCCs.

The CJEU decision on SCCs

The CJEU advised that organisations must, on a case by case basis, verify that the personal data of EU citizens being transferred outside of the EEA will be adequately protected in the third country in line with the level of protection set out in the GDPR, taking into account local law and government practices. This assessment of transfers is conducted via Transfer Impact Assessments (TIA). 

New SCCs

SCCs are one of the key mechanisms to legally transfer personal data from the EEA to third countries which do not benefit from an EU adequacy decision. However, as a result of the judgement the SCCs had to be redrafted. Old SCCs, those that were adopted under the previous Data Protection Directive 95/46, can no longer be used. 

Get in touch

If you have any related questions or need further information, please get in touch with Tom Hyland of our Risk Consulting practice.

More in Risk Consulting