SaaS Agreements – Data Protection – Schrems II Data Transfer Assessments

Following the Schrems II judgement and the final European Data Protection Board (EDPB) Schrems II guidance, SaaS customers and SaaS suppliers are now required to carry out a data transfer assessment prior to transferring personal data outside the EEA to a “third country”. A third country is a country which does not have an “adequacy” decision from the EU. i.e. the USA.

Step 1: Data Mapping

When a SaaS supplier or SaaS customer is a data exporter i.e. when transferring personal data to a country outside the EEA with no adequacy decision, (for example: from the EU to the USA) the data exporter must identify and map the transfer of personal data from the EEA. This mapping includes onward transfers, i.e. from the data processor located in the USA to their sub-processor in Australia.

Step 2: Verify the Transfer Mechanism

SaaS suppliers and SaaS customers must identify the transfer tool relied upon prior to transferring the personal data outside the EEA. The possible transfer tools are:

  • the transfer is made to a country with an adequacy decision from the EU Commission i.e. a transfer from the EU to the UK; or
  • the transfer is made using SCCs;
  • the transfer is made pursuant to Binding Corporate Rules (BCRs); or
  • the transfer is based on an Article 49 derogation, such as consent or performance of a contract.

Step 3 – Assess the Effectiveness of the Transfer Mechanism

SaaS suppliers and SaaS customers must assess whether the SCCs/BCRs provide a level of protection in the third country “essentially equivalent” to the EEA protections. The data exporter must assess, where appropriate in collaboration with the data importer, whether there is anything in the law and/or practice in force in the third country that impinges on the effectiveness of the SCCs /BCRs. For example: requests made to a US company under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) for the US intelligence agencies to access data without a data subject’s consent or knowledge.

The level of protection should be assessed not just when the data is imported into the third country, but also when in transit (i.e. during the process of data being transferred). In other words, where public authorities in a third country, can access data with or without the data importer’s knowledge, through the importer or through any telecommunications providers.

The assessment should include:

  • consideration of any legislation and practices relevant to the specific data transferred; and
  • the documented practical experience of the data importer with respect to relevant prior access requests made by public authorities in the third country.

Where the data importer or data exporter is subject to “problematic legislation”, transfers are still permitted where:

  • the data exporter has no reason to believe such legislation will be applied in practice to the data exporter or data importer; or
  • supplementary measures can be implemented.

The data importer must provide the data exporter with relevant sources and information on local laws and data practices. All sources must be relevant, objective, reliable, verifiable and publicly available or otherwise accessible and clearly documented. Annex 3 of the SCCs includes a non-exhaustive list of such sources.

Step 4: Identify and Implement Supplementary Protection Measures

Supplementary protection measures must be adopted if the data transferred is not afforded a level of protection “essentially equivalent” to the EEA level of protection.

The EDPB guidance provides a non-exhaustive list of examples of technical, organizational and contractual supplementary measures and case studies with examples of technical measures that would or would not be effective. SaaS suppliers and SaaS customers should be aware that transfers of unencrypted data to cloud services or other processors when providing SaaS services are not protected or equivalent, if there is any “problematic legislation” in the third country “in practice”.

Actions to Take

SaaS suppliers and SaaS customers now need to:

  • carry out a data mapping exercise to identify all data transfers;
  • identify and assess the transfer mechanisms used to transfer data to third countries;
  • review and amend technical and organisational measures and implement supplementary protection measures where necessary;
  • use new SCCs in all new contracts entered into from 27th of September 2021;
  • replace the current SCCs with the new SCCs in all existing contracts by the 27th of December 2022.


Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

To register for my newsletter click here


Other related articles: