SaaS Agreements – Data Protection – Schrems II: Data Transfer Assessments

SaaS suppliers are now required to map all personal data that they process and carry out a data transfer assessment (DTA) prior to making any international transfers of personal data to a “third country”. A third country is a country outside of the EEA, that does not have an “adequacy” decision from the EU. i.e. the USA. This is due to the Schrems II judgement and the final European Data Protection Board (EDPB) Schrems II guidance on international data transfers.

Map all Data Transfers

Before a SaaS supplier or SaaS customer can transfer any personal data to a country outside the EEA they must identify and map all personal data used in their business. This includes mapping all controller to controller transfers, controller to processor transfers, processor to processor transfers and processor to controller transfers.

  • A controller to controller transfer takes place when a SaaS supplier makes lead referrals to a company, or shares personal data with another SaaS supplier.
  • A controller to processor transfer takes place when a SaaS customer transfers personal data to a SaaS supplier when using their cloud services.
  • A processor to processor transfer takes place when a SaaS supplier transfers personal data to its sub-contractors, for example to a data centre, email services or backup provider.

Verify the Transfer Mechanism

Once personal data has been mapped SaaS suppliers and SaaS customers must identify whether any transfers of data are made to outside of the EEA. Where such international transfers are made the transfer tool relied upon must be identified. The possible transfer tools are:

  • the transfer is made to a country with an adequacy decision from the EU Commission i.e. a transfer of personal data is made from the EU to the UK; or
  • the transfer is made using SCCs;
  • the transfer is made pursuant to Binding Corporate Rules (BCRs); or
  • the transfer is based on an Article 49 derogation, such as consent.

Assess the Effectiveness of the Transfer Mechanism

Where the transfer mechanism used is SCCs, the SaaS supplier and SaaS customer must assess whether the transfer tool provides a level of protection in the third country “essentially equivalent” to the EEA protections. They must assess whether there is anything in the law and/or practice in force in the third country that impinges on the effectiveness of the SCCs. For example: requests made to a US company under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) by US intelligence agencies to access data without a data subject’s consent or knowledge.

The level of protection should be assessed not just when the data is imported into the third country, but also when in transit (i.e. during the process of data being transferred). In other words, where public authorities in a third country, can access data with or without the data importer’s knowledge, through the importer or through any telecommunications providers.

The assessment should include:

  • consideration of any legislation and practices relevant to the specific data transferred; and
  • the documented practical experience of the data importer with respect to relevant prior access requests made by public authorities in the third country.

Where the data importer or data exporter is subject to “problematic legislation”, transfers are still permitted where:

  • the data exporter has no reason to believe such legislation will be applied in practice to the data exporter or data importer; or
  • supplementary measures can be implemented.

The data importer must provide the data exporter with relevant sources and information on local laws and data practices. All sources must be relevant, objective, reliable, verifiable and publicly available or otherwise accessible and clearly documented. Annex 3 of the SCCs includes a non-exhaustive list of such sources.

Identify and Implement Supplementary Protection Measures

Supplementary protection measures must be adopted if the data transferred is not afforded a level of protection “essentially equivalent” to the EEA level of protection.

The EDPB guidance provides a non-exhaustive list of examples of technical, organizational and contractual supplementary measures and case studies with examples of technical measures that would or would not be effective. SaaS suppliers and SaaS customers should be aware that transfers of unencrypted data to cloud services or other processors when providing SaaS services are not protected or equivalent, if there is any “problematic legislation” in the third country “in practice”.

Actions to Take

SaaS suppliers and SaaS customers now need to:

  • carry out a data mapping exercise to identify all data transfers;
  • identify and assess the transfer mechanisms used to transfer data to third countries;
  • review and amend technical and organisational measures and implement supplementary protection measures where necessary;
  • use new SCCs in all new contracts entered into from 27th of September 2021;
  • replace the current SCCs with the new SCCs in all existing contracts by the 27th of December 2022.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here


Other related articles: