Schrems II for Data Rooms

The Schrems II judgment from the Court of Justice of the European Union (Case C-311/18, July 2020) invalidated the EU-US Privacy Shield and confirmed that controllers transferring personal data outside the European Economic Area must verify the destination country provides essentially equivalent protection. Where it does not, controllers must apply supplementary measures or stop the transfer.

For virtual data rooms, this means: (1) any EU-controller use of a non-EEA-hosted or non-EEA-contracted VDR provider triggers Chapter V GDPR transfer rules; (2) the controller must put Standard Contractual Clauses (or a similar valid mechanism) in place; and (3) the controller must conduct a transfer impact assessment (TIA) and, where necessary, apply supplementary technical or contractual measures.

This page explains the Schrems II analysis for a VDR procurement, provides a TIA template, and lists the supplementary measures buyers should look for.

Last updated: May 2026.

Schrems II in Brief

The CJEU's Schrems II ruling (C-311/18) held that the EU-US Privacy Shield did not adequately protect EU personal data from US surveillance laws (FISA Section 702 and Executive Order 12333). It invalidated Privacy Shield as a transfer mechanism and required controllers using SCCs to assess on a case-by-case basis whether the destination country's law could undermine the SCCs' protections.

In 2023 the European Commission adopted the EU-US Data Privacy Framework as a replacement adequacy decision. The DPF is currently valid but faces ongoing legal challenge; controllers should not rely on it as the sole transfer mechanism for sensitive deal data.

Implications for VDR Procurement

  • EU-hosted VDR with EU contracting entity — no Schrems II analysis required; Chapter V doesn't apply.
  • Non-EU-hosted VDR — Chapter V applies; need SCCs or DPF, plus a TIA.
  • EU-hosted VDR with US contracting entity (e.g., Datasite Ltd, with EU data centres but a US parent) — Schrems II analysis still applies because the parent may be subject to US legal process compelling disclosure of EU data.
  • Sub-processors with US ties — even if your VDR provider is EU-only, if its sub-processors include US entities, a TIA is needed for that flow.

TIA Template for a VDR

  1. Identify the data flow: which personal data, of which data subjects, going where, and why.
  2. Identify the legal mechanism: SCCs, DPF, BCRs, or derogations.
  3. Assess the legal context of the destination country: surveillance laws, judicial redress, government access requests data.
  4. Assess practical likelihood of access: type of data, volume, sensitivity, sector.
  5. Apply supplementary measures where needed: encryption with EU-held keys, pseudonymization, contractual challenge-of-access duties.
  6. Document the assessment.
  7. Schedule periodic review (typically annually).

Common Supplementary Measures

  • Encryption with EU-held keys. Encrypt at rest and in transit; keys held by the controller or by an EU sub-processor outside US legal reach.
  • Pseudonymization. Replace direct identifiers in documents with pseudonyms; maintain a re-identification key in EU storage.
  • Sealed Cloud architectures. Provider-inaccessible storage (idgard's Sealed Cloud is a leading example) makes it technically impossible for the provider to disclose plaintext.
  • Contractual challenge-of-access clauses: provider commits to challenge any government access request and notify the controller where lawful.
  • Self-hosting. Open-source VDRs (Papermark) self-hosted on EU infrastructure remove the third-country transfer entirely.

Procurement Recommendation

For routine European M&A and fundraising deals, the cleanest answer is an EU-hosted VDR with an EU contracting entity. For deals where US bidders or US-based advisors must access the room, EU hosting + SCCs + a documented TIA + watermarking and view-only controls is the modern baseline.

Frequently Asked Questions

Is the EU-US Data Privacy Framework valid?

As of 2026, yes — the DPF is in force as the EU adequacy decision for US transfers. It faces ongoing legal challenge and could be invalidated. Controllers should not rely on it as the sole transfer mechanism for sensitive deal data.

Do I need a TIA every year?

Most controllers review TIAs annually or when there is a material change in the destination country's legal regime, the data flow, or the supplementary measures in place.

Can encryption be a sufficient supplementary measure?

Encryption with EU-held keys is the most commonly accepted supplementary measure. The European Data Protection Board's Recommendations 01/2020 treat it as effective only where (a) the encryption is state-of-the-art, (b) keys are held outside US legal reach, and (c) the provider cannot decrypt.

Does Schrems II apply to UK transfers?

Indirectly — the EU has issued a UK adequacy decision so EU-to-UK transfers do not require SCCs. The UK adequacy is reviewed periodically; if it lapses, SCCs and a TIA would apply.

Further Reading