Skip to content
Vectel
Support/Compliance and regulations

How do I handle US transfers after Schrems II, with SCCs or the EU-US DPF?

For transfers outside the EEA you need a valid basis. The EU-US Data Privacy Framework works for vendors that joined; otherwise you fall back on Standard Contractual Clauses plus supplementary measures.

Try this first

  1. 1List vendors that route data outside the EEA. Cloud, email, marketing, support tooling, all candidates.
  2. 2Check whether each vendor is certified under the EU-US Data Privacy Framework. The official list lives at dataprivacyframework.gov.
  3. 3Not certified? Use the European Commission Standard Contractual Clauses and run a Transfer Impact Assessment for that specific flow.
  4. 4Document supplementary measures: encryption in transit and at rest, key management in the EEA, government-request policy.
  5. 5Update your privacy notice so you transparently state which data go where, and on what legal basis.

When to bring us in

If you handle special-category data or work for healthcare or government, leaning only on DPF without your own assessment is risky. Get a GDPR lawyer involved.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works