In one sentence. Supplementary measures are the additional technical, contractual or organisational safeguards that the CJEU’s Schrems II judgment (C-311/18) and EDPB Recommendations 01/2020 require controllers to deploy when a destination country’s law does not provide essentially equivalent protection to the GDPR — typically combined with Standard Contractual Clauses (SCCs) or BCRs. They are the operational answer to the question “the contract is not enough — what now?”
These measures are mandatory whenever a Transfer Impact Assessment concludes that local law (e.g. FISA 702 in the US, China’s PIPL state-access provisions) enables disproportionate government access.
Key takeaways
- Three categories: technical, contractual, organisational.
- Technical measures (encryption, pseudonymisation) are the only ones that block direct access in most threat models.
- EDPB Recommendations 01/2020 (final version June 2021) provide use cases 1-7.
- Required for Article 46 transfers (SCCs, BCRs, codes, certifications) — not for Article 45 adequacy.
- Cloud “remote access” by US engineers counts as a transfer requiring assessment.
- Failure: Meta Ireland €1.2B (DPC + EDPB, May 2023).
1. Origin: Schrems II + EDPB Recommendations 01/2020
CJEU C-311/18 (16 July 2020) invalidated Privacy Shield and conditioned SCC validity on “additional measures” where local law undermines protection. EDPB Recommendations 01/2020 (adopted 18 June 2021) translated this into a six-step methodology and a catalog of measures.
2. The six-step methodology
- Know your transfers (map data flows)
- Verify the transfer tool (Article 46 instrument)
- Assess the law and practice of the third country
- Identify and adopt supplementary measures
- Take procedural steps (consult DPA if needed)
- Re-evaluate at appropriate intervals
3. Technical measures (most robust)
EDPB Annex 2 — technical measures:
| Measure | Effect | Use case |
|---|---|---|
| Strong encryption with keys held only in EU | Blocks access by importer and authorities | Storage-only transfer (use case 3) |
| Pseudonymisation without re-id keys at importer | Reduces re-identification | Research data export |
| Split processing (multi-party computation) | No single party sees full data | Cross-border analytics |
| End-to-end encryption | Importer cannot decrypt | Messaging |
Technical measures are the only ones EDPB considers effective against bulk surveillance.
4. Contractual measures (supplementary, not sufficient alone)
EDPB Annex 2 — contractual:
- Importer obligation to challenge access requests
- Obligation to use legal remedies
- Transparency reporting on access requests
- Notice to controller upon receipt of request
- Audit rights specific to local law
- Warranty regarding absence of backdoors
These deter or document but do not block access. Always required, never sufficient alone for US/China-type regimes.
5. Organisational measures
- Internal access policies restricting US-located staff
- Documented procedures for handling government requests
- Training on Schrems II
- Strict need-to-know on cross-border data flows
- Selection of EU-based subprocessors where possible
6. EDPB use cases (Annex 2)
| Use case | Scenario | Conclusion |
|---|---|---|
| 1 | Data hosted in EU only | Effective measures possible (split processing) |
| 2 | Pseudonymised data transferred for research | Effective if re-id keys held in EU |
| 3 | Encrypted data hosted/backup in third country | Effective if EU-held keys |
| 4 | Transfer to FISA 702 importer for clear data | No effective measures |
| 5 | Remote access from third country to EU data | Generally no effective measures for clear data |
| 6 | Cloud SaaS with importer clear-data access | No effective measures under FISA 702 |
| 7 | Joint controller research with FISA risk | Case by case |
Use cases 4-6 are the practical blockers — they apply to most US cloud SaaS configurations.
7. Cloud-specific application
For US hyperscalers (AWS, Azure, GCP), supplementary measures typically include:
- EU regions only
- Customer-managed keys held in EU (BYOK / HYOK)
- Confidential computing where available
- Contractual transparency on US government requests
- EU sovereign cloud variants (T-Systems / SAP / OVHcloud)
- For DPF-certified recipients: rely on adequacy, supplementary measures not required
8. Government access — third-country profile
EDPB’s law-and-practice assessment requires examining:
- US: FISA 702, Executive Order 12333, CLOUD Act, Patriot Act
- China: National Intelligence Law, Cybersecurity Law, DSL
- Russia: SORM, Yarovaya law (essentially no transfers)
- India: Telegraph Act, IT Act 69
- UK: Investigatory Powers Act (despite adequacy)
9. Documentation requirements
Per Article 5(2) accountability, a TIA + supplementary measures document must include:
- Data flow description
- Law and practice assessment
- Measures adopted (with proof: KMS configuration, contractual clauses signed)
- Re-evaluation schedule
DPAs (CNIL, Garante, AEPD) request this during audits.
10. Sanctions
- Meta Ireland (DPC, May 2023): €1.2 billion — no effective supplementary measures for EU-US Facebook transfers
- Google Analytics decisions (CNIL, Garante, DSB 2022-2023): unlawful transfers
- Clearview AI (multiple DPAs): €20M+ partly transfer-based
11. Tooling
Legiscope maps every transfer to applicable safeguards, generates TIA + supplementary measures documentation per EDPB Recommendations 01/2020, and tracks DPF certification status of US recipients.
For broader context: GDPR Article 44, Transfer Impact Assessment, SCCs.
FAQ
What are GDPR supplementary measures?
Additional technical, contractual or organisational safeguards required by Schrems II (CJEU C-311/18) and EDPB Recommendations 01/2020 to ensure essentially equivalent protection when transferring personal data to a country with deficient local law.
When are supplementary measures required?
Whenever a Transfer Impact Assessment under Article 46 (SCCs, BCRs, codes, certifications) shows that local law and practice in the destination country undermine protection — including most US, China, and Russia transfers.
What technical measures count as supplementary?
Strong encryption with EU-held keys, pseudonymisation without re-identification keys at the importer, split processing, end-to-end encryption.
Are contractual measures alone enough?
No. EDPB Recommendations 01/2020 are explicit: for FISA 702 / clear-data scenarios (use cases 4-6), no contractual measure is effective. Technical measures are required.
What’s the biggest sanction for missing supplementary measures?
Meta Ireland (Irish DPC + EDPB binding decision, May 2023): €1.2 billion — the largest GDPR fine ever — specifically for unlawful US transfers without effective supplementary measures.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
