International personal data transfers are omnipresent in today’s globalized world and an integral part of most daily business activities. However, in the context of the Schrems II decision of the Court of Justice of the European Union (CJEU), these flows have been disrupted. The Privacy Shield, the primary tool for transfers between the EU and the USA, was declared invalid. Additionally, new obligations arose for companies in regard to their international data transfers, regardless of their destination. More than a year later, the decision continues to have a considerable impact on the data protection landscape.


In light of this, the European Data Protection Board (EDPB) has introduced a six-step approach to assist organizations to ensure all their personal data transfers are covered by EU safeguards. These are:

EU safeuards
  1. Understand when international (extra-EEA) transfers occur.
  2. Identify the transfer mechanism used to enact these data transfers, for example the modernized Standard Contractual Clauses published by the European Commission.
  3. Assess the effectiveness of the transfer tool if no adequate decision was made by the European Commission.
  4. Identify and adopt supplementary measures if this analysis reveals that the transfer mechanisms do not offer sufficient protection.
  5. Ensure procedural steps are taken to ensure these measures will be effective.
  6. Re-evaluate at intervals, since legislation in third countries or changes to the initial international transfer may require extra safeguards.