Supplementary measures for transfers
Supplementary measures are the additional technical, contractual, or organisational safeguards an exporter may need to add on top of a transfer tool (like standard contractual clauses) when the destination country's laws do not guarantee equivalent protection. This page explains, educationally, the concept and how it applies to analytics transfers.
Why they exist
Schrems II held that a transfer tool such as standard contractual clauses is not always enough on its own: the exporter must assess whether the destination country's laws (for example government-access powers) undermine the protection the tool promises. Where they do, the exporter must add supplementary measures to bring protection up to an essentially equivalent level — or not transfer the data.
- Required when SCCs alone are insufficient in practice
- Driven by the destination country's legal environment
- Goal is essentially equivalent protection
Measures and the analytics angle
The EDPB describes categories of measures: technical (such as strong end-to-end encryption or effective pseudonymisation where the importer cannot re-identify), contractual (extra commitments and transparency), and organisational (policies, access controls, challenge of unlawful access requests). For analytics, the strongest technical measures — keeping identifiable data in-region, or anonymising before any transfer — often do more than contractual wording alone.
How it appears in analytics and logs
Transferring identifiable analytics data to a third country on contractual clauses alone, without effective extra safeguards, is the gap supplementary measures are meant to close.
Diagnostic use case
Assess whether your analytics transfers need supplementary measures — such as strong encryption or in-region processing — beyond contractual clauses to be lawful.
What WebmasterID can help detect
WebmasterID's in-region-friendly, first-party model reduces the need for supplementary measures by limiting cross-border transfers of identifiable data.
Common mistakes
- Relying on contractual clauses without assessing the destination's laws.
- Treating weak pseudonymisation as an effective technical measure.
- Skipping a transfer-impact assessment entirely.
Privacy and accuracy notes
This page is educational and not legal advice. Whether measures are sufficient is a fact-specific transfer-impact assessment; consult the EDPB guidance and counsel.
Related pages
- Schrems II and analytics transfers
Schrems II is the 2020 Court of Justice of the EU judgment that invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only with a case-by-case assessment of the destination country's surveillance laws. Its reasoning later drove regulator decisions against certain US-hosted analytics. This page explains the ruling and its analytics impact.
- Standard contractual clauses (SCCs)
Standard Contractual Clauses (SCCs) are model data-protection contract terms adopted by the European Commission that provide a lawful basis for transferring personal data outside the EEA to countries without an adequacy decision. They are commonly used when analytics data flows to vendors abroad. This page explains their role and the assessment that accompanies them.
- Cross-border data transfers in analytics
The GDPR restricts transfers of personal data outside the EU/EEA unless a valid mechanism applies — an adequacy decision, Standard Contractual Clauses, or another safeguard. Analytics that ships data to servers abroad therefore raises a transfer question, made sharper by case law on access by foreign authorities. Keeping data in-region or minimising it reduces the issue. This is educational, not legal advice.
- Privacy-first analytics
Limit transfers that would need extra safeguards.
Sources and verification notes
- EDPB — Recommendations 01/2020 on supplementary measuresOfficial guidance defining and categorising supplementary measures.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.