The Schrems II Checklist: Is Your Marketing Stack Actually GDPR Compliant?
A practical compliance checklist for European marketers. Audit your tools for GDPR data transfer compliance using SCCs, TIAs, and European alternatives.
The Schrems II ruling changed how European businesses handle personal data. Nearly six years later, many marketing teams still haven't fully adapted. If your stack includes US-based tools, you need to verify that every data transfer has a valid legal basis — and that you can prove it.
This checklist walks through the practical steps every European marketer should take.
What Schrems II Actually Requires
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). The ruling didn't just affect Facebook — it affected every transfer of personal data from the EU to the United States.
The core finding: US surveillance laws (FISA Section 702 and Executive Order 12333) allow government access to personal data at a level incompatible with EU fundamental rights. Standard Contractual Clauses (SCCs) remain valid in principle, but only if supplemented by additional safeguards when transferring to countries with inadequate protections.
In practice, this means that for every tool in your marketing stack that sends personal data outside the EU, you need:
- A valid transfer mechanism (adequacy decision, SCCs, or BCRs)
- A Transfer Impact Assessment (TIA) documenting whether the destination country's laws undermine the protections
- Supplementary measures if the TIA identifies risks
- A Data Processing Agreement (DPA) with every processor
The EU-US Data Privacy Framework: Not a Permanent Fix
The EU-US Data Privacy Framework (DPF), adopted on July 10, 2023, currently provides a legal basis for transfers to DPF-certified US companies. But the DPF's two predecessors — Safe Harbor and Privacy Shield — were both struck down by the CJEU.
Key risk factors for the DPF:
- noyb has signaled intent to challenge the DPF at the CJEU (a potential "Schrems III" case)
- The European Parliament passed a resolution in 2024 expressing concerns about the DPF's durability
- The Privacy and Civil Liberties Oversight Board (PCLOB), a key institutional safeguard, has faced staffing concerns
- Changes in the US political landscape raise questions about the continued enforcement of Executive Order 14086
Relying solely on the DPF without a backup plan means you could be non-compliant overnight if it's invalidated — just as happened with Privacy Shield in 2020.
Your Schrems II Compliance Checklist
Step 1: Inventory Every Tool That Touches Personal Data
List every tool in your marketing stack. For each, document:
- What personal data it processes (email addresses, IP addresses, device IDs, behavioral data, etc.)
- Where the data is stored (EU, US, or other)
- Whether the vendor acts as a processor or controller
- The company's legal jurisdiction (where it's incorporated)
Common marketing tools that involve data transfers:
| Category | Common US-Based Tools | EU Alternatives |
|---|---|---|
| Analytics | Google Analytics | Matomo, Plausible, Fathom |
| Email Marketing | Mailchimp, HubSpot | Brevo |
| CRM | Salesforce, HubSpot | Brevo |
| Heatmaps | Hotjar (US-owned) | Mouseflow, Smartlook |
| A/B Testing | Optimizely | VWO |
| Consent Management | OneTrust | Cookiebot, Complianz |
Step 2: Check Your Transfer Mechanisms
For each tool that transfers data outside the EEA, verify which legal mechanism applies:
Adequacy Decision (Article 45 GDPR)
- Is the vendor in a country with an EU adequacy decision? (e.g., UK, Japan, South Korea, Switzerland, or the US under the DPF)
- For US vendors: Is the specific company certified under the DPF? Check dataprivacyframework.gov
Standard Contractual Clauses (Article 46 GDPR)
- Are you using the 2021 SCCs (Commission Implementing Decision (EU) 2021/914)? The older versions expired on December 27, 2022.
- Which module applies? Module 1 (C2C), Module 2 (C2P), Module 3 (P2P), or Module 4 (P2C)?
- Have the SCCs been properly executed (signed by both parties)?
Important: Even with a DPF-certified vendor, consider having SCCs in place as a fallback. If the DPF is invalidated, SCCs provide a backup transfer mechanism — though you'd also need a completed TIA.
Step 3: Conduct Transfer Impact Assessments
The EDPB's Recommendations 01/2020 outline a six-step process:
- Map your transfers — What data, to whom, where, for what purpose
- Identify the transfer mechanism — SCCs, adequacy decision, BCRs, or Art. 49 derogation
- Assess third-country laws — Can the government access the data? Are there effective legal remedies for data subjects?
- Identify supplementary measures — Technical (encryption where you hold keys, pseudonymization), organizational (access controls, audit rights), or contractual
- Implement the measures — Put them into effect
- Re-evaluate regularly — Laws change, vendors change, data flows change
For US transfers specifically, assess:
- FISA Section 702 — Allows warrantless surveillance of non-US persons' communications
- Executive Order 12333 — Authorizes bulk collection of signals intelligence
- The CLOUD Act — Can compel US companies to disclose data stored abroad
Step 4: Review Your Data Processing Agreements
Article 28(3) GDPR requires a DPA with every processor. Check that each DPA includes:
- Subject matter, duration, nature, and purpose of processing
- Types of personal data and categories of data subjects
- Processor processes data only on documented controller instructions
- Confidentiality obligations for authorized personnel
- Appropriate technical and organizational security measures (Article 32)
- Conditions for engaging sub-processors (prior authorization, equivalent obligations)
- Assistance with data subject rights requests
- Assistance with security, breach notification, and DPIAs (Articles 32-36)
- Deletion or return of data upon termination
- Audit and inspection rights
Common gap: Many SaaS vendors provide a DPA, but it may not meet all Article 28 requirements. Read it carefully — don't just click "accept."
Step 5: Verify Your Legal Bases for Processing
For each processing activity in your marketing stack, confirm you have a valid legal basis under Article 6 GDPR:
- Consent (Art. 6(1)(a)) — Required for most email marketing, cookies, and tracking under the ePrivacy Directive
- Legitimate interest (Art. 6(1)(f)) — May apply to some analytics if properly balanced, but rarely covers cross-border tracking
- Contract (Art. 6(1)(b)) — For processing necessary to fulfill a contract with the data subject
For cookies and tracking technologies specifically, the ePrivacy Directive (as implemented nationally) generally requires consent unless the cookie is strictly necessary.
Step 6: Document Everything
Maintain a Record of Processing Activities (ROPA) as required by Article 30 GDPR, including:
- All processing activities and their legal bases
- Data transfer mechanisms and destinations
- TIAs and supplementary measures
- DPAs with all processors
- Sub-processor lists and notification mechanisms
- Consent records
This documentation isn't optional — it's legally required and DPAs will ask for it during inspections.
The Simplest Path to Compliance
The most straightforward way to reduce transfer risk is to use tools that keep data in the EU. No data transfer outside the EEA means no SCCs, no TIAs, and no dependence on the DPF's continued validity.
European alternatives exist for virtually every category of marketing tool:
- Web Analytics: Plausible, Matomo, Fathom, Pirsch, Simple Analytics — many require no cookie consent at all
- Email & CRM: Brevo (French, EU data processing)
- Consent Management: Cookiebot (Danish), Complianz (Dutch)
- Heatmaps & Session Recording: Mouseflow (Danish), Smartlook (Czech)
- Tag Management: Stape (EU-based server-side tagging)
Browse our full alternatives directory to compare tools by GDPR status, EU hosting, and pricing.
What Happens If You Don't Comply
The enforcement track record is clear. In 2022-2023, multiple EU DPAs ruled Google Analytics illegal for lacking adequate transfer safeguards. Sweden's IMY issued fines of up to EUR 1 million. Ireland's DPC fined Meta EUR 1.2 billion for transferring EU user data to the US.
DPAs are actively monitoring compliance. The cost of switching to a European analytics tool is a fraction of even a modest GDPR fine — and far less than the reputational damage of a public enforcement action.
Next Steps
- Start with the audit. Use the checklist above to map your tools and their data flows.
- Prioritize high-risk transfers. Analytics and tracking tools that process behavioral data across your entire user base are the highest-risk items.
- Evaluate European alternatives. Our tools directory helps you find GDPR-compliant replacements with verified EU hosting.
- Get legal advice. This checklist provides a practical framework, but consult qualified legal counsel for your specific situation.
The businesses that adapted early after Schrems II avoided the enforcement wave that followed. With the DPF's future uncertain, now is the time to audit your stack — not after the next CJEU ruling.
Looking for GDPR-compliant alternatives?
Browse our directory of European marketing tools — all verified for GDPR compliance and EU data hosting.