Upcoming Webinar ON
TECHNICAL SUPPLEMENTARY MEASURES
SCC / EDPB GUIDANCE IS HERE Schrems II Requirments
2-Hours of Expert Actionable Advice on Surviving & Thriving Under Schrems II
22nd June
4pm CEST
Register Now
Schrems II Solutions Knowledge Hub Resources Company Contact
Company
About Us Our People Awards Contact Patents

Comply with Schrems II with the only Technology built to solve a Legal Problem: Data Embassy

Contractual measures are not enough, and organisations do not have a grace period to become compliant. To continue sharing data lawfully and efficiently, organisations must invest in a technology solution enabling non interrupted vital business objectives: Data Embassy.
  • When travelling in a foreign country, you can turn to your country’s Embassy for predictable protection and physical security.
  • Anonos Data Embassy software embeds this same predictable protection and physical security in your data, no matter what country it is in.
  • Protect your data wherever it goes to allow it to travel without borders.
Schrems II has presented a legal problem that requires a technical solution: Anonos Data Embassy software empowers you to stay compliant so that your organisation can continue to rely on the data that powers its growth.
Data Embassy Software Technically Enforces Your Organisation’s Policies to:
Establish Controls that Travel with Your Data
Embed Trust into Your Data, Enabling it to Flow
Anonos’ state-of-the-art patented Data Embassy technology makes the impossible possible: It uniquely reconciles conflicts between maximising (i) data use, sharing and combining and (ii) data protection and privacy.

Whether for AI or ML models or improving your data analytics solutions, you extract the most value from personal data with dynamic use cases. Why settle for outdated techniques protecting only static uses that deliver little value?

Let us prove how Anonos Data Embassy software can solve your most complex legal and data challenges to maximise data value without compromising accuracy or legal requirements. Sounds too good to be true? These three groups of FAQs highlight how Anonos Data Embassy software uniquely solves data use versus protection quandaries.
1 We Leverage GDPR-compliant Pseudonymisation to Enable Greater Data Value & Protection
1. Is Anonymisation the same as Pseudonymisation under the GDPR?
NO. Anonymisation and Pseudonymisation are VERY different under the GDPR. Anonymisation, which is not defined under the GDPR, is an attempt to remove processing from GDPR jurisdiction. To be successful, Anonymisation must delete all means of relinking back to source data, reducing the value of data to near zero. Pseudonymisation is redefined under the GDPR to include functional separation of information value from identity, requiring protection of both direct and indirect identifiers with context-aware, use case-specific controls. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 1 at https://www.SchremsII.com/TenTruths]
2. Is GDPR Pseudonymisation a higher standard than pre-GDPR Pseudonymisation?
YES. GDPR Pseudonymisation a higher standard than pre-GDPR Pseudonymisation. Pseudonymisation is redefined under the GDPR to include functional separation of information value from identity, requiring protection of both direct and indirect identifiers with context-aware, use case-specific controls. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 2 at https://www.SchremsII.com/TenTruths]
3. Does failed Anonymisation result in GDPR-compliant Pseudonymisation?
NO. Failed attempts at Anonymisation to remove data from GDPR jurisdiction is unlikely to satisfy the new heightened requirements for Pseudonymisation under the GDPR. To be successful, GDPR Pseudonymisation must functionally separate information value from identity, which requires the protection of both direct and indirect identifiers with context-aware, use case-specific controls. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 3 at https://www.SchremsII.com/TenTruths]
4. Does GDPR Pseudonymisation require protection of more than direct identifiers?
YES. GDPR Pseudonymisation requires protection of more than direct identifiers. Pseudonymisation as redefined under the GDPR must functionally separate information value from identity. This requires the protection of both direct and indirect identifiers with context-aware, use case-specific controls. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 4 at https://www.SchremsII.com/TenTruths]
5. Does GDPR Pseudonymisation provide greater value than Anonymisation of data?
YES. GDPR Pseudonymisation provides greater value than Anonymisation. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 5 at https://www.SchremsII.com/TenTruths]
6. Does GDPR Pseudonymisation require dynamism?
YES. GDPR Pseudonymisation requires dynamism. Pseudonymisation as redefined under the GDPR must functionally separate information value from identity. This requires the protection of both direct and indirect identifiers with context-aware, use case-specific controls that use different tokens at different times for different purposes to avoid unauthorised reidentification via the Mosaic Effect. Newly redefined GDPR Pseudonymisation maximises both the protection and value of data by enabling auditable, dynamically enforced control over who, when and why information value is linkable to identity. [See Truth No. 6 at https://www.SchremsII.com/TenTruths]
7. Does GDPR Pseudonymisation help satisfy Schrems II requirements for Technical Supplementary Measures?
YES. GDPR Pseudonymisation can satisfy Schrems II requirements for Technical Supplementary Measures. A central tenet of GDPR-compliant Pseudonymisation is separation of information value from the identity of the data subjects, where the sole means to relink the Pseudonymised data to the underlying identities is via “additional information.” This additional information must be stored separately and securely and access must be restricted as per established policies and controls. This separation, when implemented correctly, satisfies a crucial requirement of Schrems II as well as GDPR Article 11(1), which states:

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

GDPR-compliant Pseudonymisation can enable cross border data transfers to happen lawfully and securely, unlike in the past where data service providers in the EU had to resort to legal treaties like the Privacy Shield to make this happen. With GDPR-compliant Pseudonymisation, data exporters and vendors in the EU can lawfully use cloud based data processing solutions, even when they are located outside of the EU (or operated in the EU by US or other non-EEA/Adequacy Countries subject to obligations to disclose data), because the additional information required to relink the data to identities of data subjects is available only in the EU under the control of the data controller. Even if this data were to be intercepted, properly GDPR Pseudonymised data does not expose the identities of EU subjects. As more use cases of lawful cross border data sharing and transfers emerge and more organizations realise the benefits of GDPR Pseudonymisation, we will likely see exponential increase in the adoption and implementation of GDPR-compliant Pseudonymisation. [See Truth No. 7 at https://www.SchremsII.com/TenTruths]
8. Does GDPR Pseudonymisation enable EU-based redress for failure to properly Pseudonymise data?
YES. GDPR Pseudonymisation enables EU-based redress for failure to properly Pseudonymise data. Under GDPR, if there is a breach in user privacy arising out of improperly pseudonymised data, then the data controller or service provider in the EU responsible for sharing, distributing or transferring this data can be held accountable. This legal safeguard provides EU subjects with access to legal recourse within the jurisdiction of the EU, instead of having to rely on legal mechanisms outside of the EU for redress. This also serves as a strong incentive for the data controller to ensure that it has properly Pseudonymised data in compliance with GDPR requirements, lest it expose itself to lawsuits, claims or injunctive relief (termination of processing by supervisory authorities. [See Truth No. 8 at https://www.SchremsII.com/TenTruths]
9. Is GDPR Pseudonymisation an example of distributed trust controls to enable trusted data?
YES. GDPR Pseudonymisation is an example of distributed trust controls to enable trusted data. The ubiquitous availability of high speed Internet and convergence of technologies such as 5G, IoT, Big Data and cloud computing has led to a prodigious amount of data being generated and shared across industry verticals. This poses security and privacy risks – how do we ensure that this data is transferred safely and only used in an appropriate way? Advanced data protection techniques such as GDPR-compliant Pseudonymisation, that more effectively address data privacy concerns, help to meet these challenges. By embedding distributed trust controls in data transfers, distribution and sharing, GDPR Pseudonymisation helps to facilitate wider and faster adoption of these technologies, while ensuring compliance with GDPR and other applicable laws. [See Truth No. 9 at https://www.SchremsII.com/TenTruths]
10. Does GDPR Pseudonymisation enable statutory benefits?
YES. Pseudonymisation satisfying heightened requirements under the GDPR enables significant statutory benefits. Pseudonymisation can not only help data controllers comply with GDPR regulations, it can also enable a host of GDPR statutory benefits such as:
  • Tip the balance in favor of Legitimate Interests processing (GDPR Articles 5(1)(a) and 6(1)(f) and WP 217)
  • Allow more flexible change of purpose (GDPR Article 5(1)(b) and WP 203)
  • Allow more expansive data minimisation (GDPR Articles 5(1)(c) and 89(1))
  • Allow more flexible storage limitation (GDPR Articles 5(1)(e) and 89(1))
  • Provide enhanced security (GDPR Articles 5(1)(f) and 32)
  • Facilitate more expansive further processing (GDPR Article 6(4) and WP 217)
  • Allow more flexible profiling (WP 251 rev.01 - Annex 1 and GDPR Recital 71 and Article 22
  • Allow lawful sharing and combining of data (GDPR Recitals 42 and 43, Articles 11(2) and 12(2), and EDPB Guidelines 05/2020)
[See Truth No. 10 at https://www.SchremsII.com/TenTruths]
2 We Overcome the Data Value & Protection Shortcomings of Other Approaches
11. Do differential privacy guarantees provide value?
NO. Privacy guarantees associated with differential privacy provide minimum real-world value. While mathematically elegant, differential privacy guarantees reflect the artificial use constraints imposed on data, processes and users necessary for differential privacy to work. These artificial use constraints are inconsistent with real-world data use conditions, so differential privacy is not realistic for real-world distributed processing removed from protected enclaves.
12. Are differential privacy watermarks valuable?
NO. Watermarks offered in connection with differential privacy solutions provide minimum real-world value. They serve to identify the party responsible for violating the artificial use (enclave) constraints necessary for differential privacy to work. However, once a party violates these artificial use (enclave) constraints, the effectiveness of differential privacy is nullified.
13. Is differential privacy the “worst of all worlds” under the GDPR?
YES. Differential privacy provides the “worst of all worlds” under the GDPR since the data is neither Anonymous so it outside of the scope of GDPR jurisdiction (because the data controller retains the original identifying data) nor is it GDPR-compliant Pseudonymous and entitled to the statutory benefits identified in FAQ 10 above (because the direct and indirect identifiers are not protected to prevent reidentification without “additional information” that is kept separately and securely as required under Article 4(5))
14. Does synthetic data work for dynamically changing data?
NO. Synthetic data does not protect real-time dynamically changing data. Synthetic data requires recalibration of all of the interrelationships and correlations within a synthetically prepared data set each time material changes occur in the underlying data, so it can only provide “after the fact” versus real-time protection.
15. Do differential privacy or synthetic data enable relinking to identity or longitudinal studies?
NO. Neither differential privacy nor synthetic data enable relinking to identity for longitudinal studies, nor the ability to contact at-risk study participants.
16. Is Homomorphic Encryption a viable alternative?
NO. Processing that takes 1 second using GDPR Pseudonymised data or cleartext data will take several days using Homomorphic Encryption. Sophisticated business processes cannot tolerate such speed. While advances are being made in Homomorphic Encryption, its high computational overhead and extended processing times result in a high carbon footprint making it impracticable for sophisticated decentralised data processing, sharing, combining, relinking or longitudinal studies in the near future.
3 We Overcome the Top Schrems II Misconceptions
17. Is there a grace period for complying with Schrems II requirements?
No. There is no grace period for complying with Schrems II – the obligation to comply was immediate upon the ruling of the CJEU on 16 July 2020.
18. Can new SCCs be used without Technical Supplementary Measures?
NO. New SCCs cannot be used without Technical Supplementary Measures. Technical Supplementary Measures are required whenever there is a surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
19. Can current SCCs be used without Technical Supplementary Measures until we migrate to new SCCs?
NO. In the Schrems II ruling, the Court of Justice of the European Union was adamant that SCCs can only be lawful if supplemented by Technical Supplementary Measures when there is any surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
20. Can I just update my SCCs?
No. Updating SCCs is not enough. SCCs “are not capable of binding the authorities of that third country, since they are not party to the contract.” Schrems II requires the implementation of technically-enforced Supplementary Measures for transfers to non-EEA / Adequacy Countries henever there is a surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
21. Must I stop all processing involving EU personal data that fails to comply with Schrems II?
Yes. Unless you implement Technical Supplementary Measures that ensure an essentially equivalent level of protection, “you must avoid, suspend or terminate” all international data transfers based on SCCs.
22. What is the penalty for failing to comply with Schrems II?
Under the CJEU ruling, Supervisory Authorities have an affirmative obligation to stop transfers that do not comply with Schrems II requirements. In addition to business operation disruptions from termination of data flows, companies face penalties of €20 million or 4% of their global turnover, whichever is greater.
23. Is Schrems II a C-Suite / Board level issue?
Yes. Due to the significant publicity regarding the potential negative effects of Schrems II, lack of corporate change may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.” This opens Board members and senior executives to potential personal and criminal liability. In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).
24. Can I use Encryption or Anonymisation as Supplementary Measures to protect data when in use to comply with Schrems II?
No. Encryption only protects data in transit and in storage. Anonymisation is not recognised as a suitable Schrems II Supplementary Measure by the European Data Protection Board (EDPB). Schrems II requires organisations to protect data when in use by using technically-enforced Supplementary Measures that protect data from unauthorised access. These technical controls must ensure that EU personal data does not reveal the identities of data subjects when processed outside of EEA / equivalency countries. Processing of personal data in the clear outside of the EEA / Adequacy Countries is unlawful under Schrems II.
25. Which use case can I no longer lawfully process?
The EDPB highlights two use cases of data transfers that are unlawful under Schrems II: (i) Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear (EDPB Unlawful Use Case 6); and (ii) Remote Access to Data for Business Purposes (EDPB Unlawful Use Case 7).
26. What are my options for complying with Schrems II requirements for data in use?
The EDPB has highlighted the transfer of GDPR Pseudonymised data (EDPB Lawful Use Case 2) as lawful. This means that Cloud Processing and Remote Access for Business Purposes (EDPB Unlawful Use Cases 6 and 7) can be made legal by transforming data into GDPR-Pseudonymised data (Lawful Use Case 2) before processing in the cloud or making it available for remote access.
Schedule a Meeting with Us
Establish an Immediately Defensible Legal Position
We guarantee that our technology is state-of-the-art.
Data Embassy Software Enables Lawful Borderless Data
The only software to utilize GDPR-compliant Pseudonymisation together with patented relinking techniques, Anonos Data Embassy software creates protected outputs called Variant Twins that make it possible to analyze, combine, and use data both inside and outside organizations, in a variety of different use cases.

With the ability to obscure key identifiers—but not permanently alter or remove them— protecting data subjects without depriving organizations of the key insights that can only come from clear, accurate data. Variant Twins embed mandated protections into data, allowing it to reach its infinite, legal potential.
Schrems II Knowledge Hub
Quick Read Briefings
In-Depth Resources
News
Top 8 Misconceptions
Executive & Board Risk Assessment Framework
New Technology Controls Required
Legal Solutions Guidebook
Webinar: Presenting Risk Exposure to the C-Suite & Board
Anonos Solution Page
Implementation Workshop
Executive Briefing Portal
IDC Report on Schrems II
Pseudonymisation
LinkedIn Group
Schrems II Blog
Top 8 Misconceptions
A number of serious misconceptions about the impact of Schrems II still remain, which makes it hard for organisations to comply.

This PDF download contains an explanation of the Top 8 Misconceptions surrounding Schrems II so that your organisation can eliminate misunderstandings to move forward. Downloadable and web versions are available.
READ MORE
Schrems II Legal Solutions Guidebook
The Schrems II Legal Solutions Guidebook is a critical asset for legal and privacy advisors working on GDPR and Schrems II compliance issues.

The Guidebook, which has been downloaded over 2,200 times, covers the key legal aspects and benefits of SCC-based Schrems II compliance, as well as a checklist, templates, and practical steps for organisations to follow.
Download
Implementation Workshop
Schrems II workshop covering Implementation Roadmap & Legal Benefits, for organisations to understand how to implement Schrems II Supplementary Measures for SCCs. Over 2000 GCs, CPOs, DPOs, and Outside Legal Counsel participated from over 1700 companies across over 50 countries. To ensure you don't miss out on valuable information, a replay of this workshop is available for you.
Watch Replay
Executive Briefing Portal
The Schrems II Executive Briefing Portal was created in response to overwhelming requests from General Counsels and data privacy professionals for additional information. This Portal allows you to explore many critical issues related to Schrems II so you can provide support to your organization and advice to your clients. The Portal contains sections on regulator guidance, Schrems II compliance, general GDPR concepts, and analysis of legal issues.
REGISTER FOR ACCESS
LinkedIn Group
This Schrems II LinkedIn Group has over 7600 members, with legal, privacy, and data professionals discussing key issues related to this ruling and some of the complications. This community group provides the opportunity to view information, collaborate on solutions, and discuss complex issues with other experts.
JOIN GROUP
Anonos Solution Page
Anonos offers a technology solution that provides technical Supplementary Measures for Schrems II compliance. Explore Anonos GDPR-Pseudonymisation technology, so that you can support your organisation or clients towards a compliant solution. Only Anonos delivers three critical requirements for achieving a Defensible Business Position: Schrems II compliant Supplementary Measures and GDPR-compliant Pseudonymisation to future-proof Standard Contractual Clauses (SCCs).
VIEW SOLUTION
IDC Report on Schrems II
This IDC report explains how Anonos’ BigPrivacy software is well placed to satisfy the Schrems II requirements for appropriate safeguards by creating pseudonymised versions of personal data (Variant Twins).

The IDC report covers the development of Anonos BigPrivacy, use cases, an explanation of Anonos' state-of-the-art Pseudonymisation technology, and market applicability of the solution. Read this IDC report to find out how Anonos technology can help you.
READ REPORT
Schrems II Blog
A timely collection of articles and perspectives that you will not find elsewhere. This content reflects topical issues gleaned from meetings and interactions with companies, regulators, legislators, and non-governmental organisations related to SCC-based compliance with Schrems II requirements.
READ BLOG
Pseudonymisation
Pseudonymisation is at the core of the Data Embassy principles, and is newly-redefined in the GDPR. Find out more about the importance of Pseudonymisation, as recommended by the EDPB as a Schrems II solution for protecting data in use, and how its application can help your organisation.
READ MORE
Executive & Board Risk Assessment Framework
This framework covers the crucial issues we address when working with these organisations to evaluate the ability to establish an immediately defensible position in compliance with Schrems II.
READ MORE
New Technology Controls Required
Relying on “Words Alone” by updating contracts and hoping for treaties produces unsustainable operations because no contract or treaty will remove the need for new technology controls to protect data when in use.

This Briefing covers how Anonos technology solves international cross-border legal challenges, enabling the highest data protection levels, accuracy, and utility on a global scale by complying with recommendations by the EDPB for GDPR-compliant Pseudonymisation.
READ MORE
Webinar: Presenting Risk Exposure to the C-Suite & Board
Schrems II risk mitigation strategies for Boards of Directors and C-Suite, and organisations are critically needed. View this webinar to find out what the risks are, and what steps you need to take next to brief your executive team and board members.
Watch Replay
*Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.