Thales banner

Schrems II

Thales enables organizations to maintain GDPR compliance in light of Schrems II ruling

Schrems II: Identifies the Gaps in GDPR

The General Data Protection Regulation (GDPR) laid down the requirements on securing personal data within the European Union (EU) or European Economic Area (EEA). However, it did not adequately address securing personal data of EU citizens when it is processed outside the EU by other countries, such as the transatlantic data flows that account for more than half of Europe’s transactions.

The recent Court of Justice of the European Union (CJEU) decision in the Schrems II ruling invalidated the EU-US Privacy Shield framework, since it did not adequately enforce EU’s GDPR regulations to protect personal data as it moved between EU and the US. With the nullification of Privacy Shield, and before that, Safe Harbor, companies are no longer protected from liability over those data transfers and they are looking for data protection solutions that can adequately protect global commerce.

EDPB Recommendations Help Close the Gaps

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout EU, and promotes cooperation between data protection authorities in each EU country. To address Schrems II ruling, EDPB recently adopted recommendations on supplementary measures along with a second document on EU essential guarantees, which gives guidance to non-EU countries on ensuring compliance with the EU-level of data protection of personal data. The new recommendations from EDPB allow organizations to build a trusted privacy framework to enhance transatlantic data flows

A Trusted Privacy Framework to Move Forward

Thales enables organizations to maintain GDPR compliance and adhere to the Schrems II ruling, using a trusted privacy framework for protecting transatlantic data flows that follow these overarching principles.

  • Discover and classify your sensitive data wherever it resides. That way you know what needs to be protected and then apply the appropriate security measures as outlined by GDPR.
  • Protect sensitive data using robust encryption. This means protecting data stored in on-premises data centers and in the cloud , and ensuring that it is not exposed to unauthorized users inside and outside the EU.
  • Control access to the data, by creating, storing and managing the encryption keys in the country of the origin of the data (data exporter) and maintain control over who has access to the keys to decrypt sensitive data in non-EU countries, and ensure that those countries can maintain adequate level of data protection according to the GDPR mandates.
  • Recommendations
  • Compliance

The Schrems II ruling underscores the need to ensure personal and sensitive data is protected under GDPR, when it is transferred to/from EU and other non-EU countries. As a result of the ruling European Data Protection Board (EDPB) recommends a six-step plan for continually assessing and protecting global data flows in-line with EU data privacy regulations.

Step 1: Know your data transfers

The first step is to ensure that you have a record of all data transfers with other countries outside the EU logging the series of processors and sub-processors. You must verify that the data you transfer is adequate, relevant and limited to what is necessary to be processed in the third country.

Step 2: Identify the transfer tools you are relying on

The second step is to identify the data transfer tools you are relying on among those listed in Chapter V of GDPR, and take decisions relating to some or all of the third countries to which you are transferring data, that they offer adequate level of protection of personal data.

Step 3: Assess whether the transfer tool is sufficient to meet GDPR (article 46) requirements

The transfer tool must ensure that the level of protection guaranteed by GDPR within the EU countries is as good in the third country outside the EU. Your assessment should take into consideration all the actors participating in the data transfer (e.g. controllers, processors and sub-processors) processing the data in third-countries.

Step 4: Adopt supplementary measures

If the assessment in step 3 has revealed that the transfer tool is not effective, then you will need to consider supplementary measures which, when added to the safeguards could ensure the same level of safeguards guaranteed within the EU are enforced for external data transfers.

Step 5: Procedural steps if you have identified supplementary measures

You may have to take these supplementary measures, if the primary measures used by the data transfer tools are not sufficient to protect the data.

Step 6: Re-evaluate at appropriate intervals

You must monitor on an ongoing basis, and where appropriate in collaboration with data importers in the third countries to which you have transferred data, put in sufficient mechanisms to promptly suspend data transfers, if the data importer breached the contract.

Thales enables organizations to maintain compliance with GDPR and adhere to the European Data Protection Board (EDPB) recommendations for adopting Schrems II ruling using the six-step plan for continually assessing and protecting global data flows.

The CipherTrust Data Security Platform unifies data discovery, classification, data protection, and unprecedented granular access controls with centralized key management under your control – all on a single platform. It enables organizations to deploy bring your own encryption (BYOE) and tokenization policies to protect sensitive data at rest in both EU (data exporter) and non-EU countries (data processors).

CipherTrust Data Security Platform


  • Discover: Before data is transferred out of EU, data exporters must be able to discover sensitive data records wherever they reside and classify them based on GDPR compliance requirements. CipherTrust Data Discovery and Classification enables organizations to get complete visibility into sensitive data on-premises and in the cloud, and then apply appropriate data protection measures as outlined by GDPR.
  • Protect: Once the data exporter knows where sensitive data resides, they can protect that data with encryption and tokenization solutions provided by CipherTrust Transparent Encryption and CipherTrust Tokenization before it moves to downstream data importers in other non-EU countries, and provide the same level of data protection in those countries too.
  • Control: Every data security regulation including GDPR requires organizations to control access to data, centralize key management services, and monitor authorized and unauthorized access to data and encryption keys. CipherTrust Manager and CipherTrust Cloud Key Manager enable data exporters and importers of EU to maintain control over keys and security policies across on-premises and multi-cloud environments.

Related Resources

Securing GDPR-compliant Data Post Schrems II - White Paper

Securing GDPR-compliant Data Post Schrems II - White Paper

This white paper describes how companies can adhere to the European Data Protection Board’s recommendations to address the Schrems II ruling, using the digital privacy framework provided by Thales’ data protection and trusted access management solutions.

GDPR Compliance in Multi-cloud Environments - eBook

GDPR Compliance in Multi-cloud Environments - eBook

The GDPR, which went into effect in May 2018, aims to protect the privacy of EU citizens. Any such data that you hold across your cloud environment(s) is ultimately your responsibility and under your ownership, leaving you subject to potential scrutiny under the new mandates. ...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Are You Ready for GDPR? - Paper

Are You Ready for GDPR? - Paper

GDPR mandates the procedures and dictates the consequences regarding data breaches and notification.

Schrems II and the Security of International Data Flows - Webinar

Schrems II and the Security of International Data Flows - Webinar

In July of 2020 the Court of Justice of the European Union issued the Schrems II decision in the case Data Protection Commission v. Facebook Ireland. That decision invalidated the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct...

Securing Access to Data in a Post Schrems II Era - White Paper

Securing Access to Data in a Post Schrems II Era - White Paper

The Schrems II decision will have a great impact on international commerce among companies doing business with the European Union (EU). The consequence of not paying attention to Schrems II could literally mean a partial or complete shut-down of data transfers between EU and...

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.