Skip to content
StackPatrol
GDPR and digital sovereignty

Schrems II and your website

The Schrems II ruling changed how European organisations handle third-party web services. Find out which vendors on your site are affected and what to do about it.

Not legal adviceFree toolNo signup needed

Free · No signup · Scans your front page and one additional page. Need a full site audit?

What is Schrems II?

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in a case brought by Austrian privacy activist Max Schrems. The ruling (formally known as Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, case C-311/18) found that US surveillance law does not provide Europeans with adequate protection.

The ruling did not ban transfers to the US. It made them more complex. Organisations relying on the Privacy Shield had to find a new legal basis immediately, and those using Standard Contractual Clauses (SCCs) were required to assess whether US law undermines those protections.

In July 2023, the EU adopted the EU-US Data Privacy Framework (DPF) as a new adequacy decision for certified US organisations. This provides a simpler legal basis for transfers to DPF-certified vendors. However, the DPF is still contested and non-certified vendors remain subject to the full Schrems II analysis.

July 2020
Privacy Shield invalidated

The CJEU strikes down the EU-US Privacy Shield. Thousands of organisations lose their transfer mechanism overnight.

2021-2023
Enforcement begins

Data protection authorities across Europe start issuing findings against Google Analytics, Facebook and others. Fines follow.

July 2023
EU-US DPF adopted

The Data Privacy Framework provides a new adequacy decision. Transfers to DPF-certified US organisations are now covered. The framework can still be challenged in court.

What counts as a third-country transfer on a website?

Any script or resource that causes a visitor's browser to send data to a server outside the EEA is potentially a third-country transfer. This includes IP addresses, which are personal data.

Analytics scripts

Google Analytics, Mixpanel, Amplitude

These typically set cookies and send behavioural data to US servers. GA4 is the most common Schrems II issue European websites face.

Tag managers

Google Tag Manager, Segment

Tag managers are often US-owned and load additional US vendors. The tag manager itself may be the legal issue, not just the tags it fires.

Fonts and CDNs

Google Fonts, jsDelivr, cdnjs

Loading a font from Google Fonts sends the visitor's IP address to Google's US servers. German courts have issued fines for this. Self-hosting fonts removes the issue.

Customer support

Intercom, Zendesk, HubSpot chat

Chat widgets load scripts that transfer data to US processors. Many of these vendors offer EU data residency as an add-on or in higher-tier plans.

Advertising pixels

Meta Pixel, LinkedIn Insight Tag, TikTok Pixel

Advertising pixels are among the most legally complex vendors. They often make US-owned third parties joint controllers rather than processors.

Session replay

Hotjar, FullStory, Microsoft Clarity

Session replay tools record user interactions. The data often includes personal data by definition and is processed on US infrastructure.

Note: This list is illustrative, not exhaustive. The key question is always whether personal data (including IP addresses) is transferred to a controller or processor outside the EEA. If it is, Schrems II applies.

A practical 6-step process

StackPatrol handles step 1. Steps 2 through 6 require your team, your DPO and in some cases your legal counsel.

Step 1

Discover what your site actually loads

Before you can assess risk you need an inventory. Most teams are surprised by how many third-party domains their site contacts on a single page load.

Step 2

Identify US-owned vendors

Schrems II applies to transfers to the US and other third countries without an adequacy decision. Filter your inventory to US-owned services. Parent company ownership matters, not just where the server sits.

Step 3

Check your legal basis for each transfer

For each US vendor, determine whether they are DPF-certified, whether you have SCCs in place, and whether supplementary measures are needed. This is the legal step that requires your DPO or legal counsel.

Step 4

Replace where possible

For analytics, tag managers, fonts and similar tools there are often European alternatives that remove the transfer question entirely. Replacing a vendor is usually faster than completing a TIA.

Step 5

Document what remains

For US vendors you keep, document the legal basis, the SCCs, and any supplementary measures in your records of processing activities (ROPA). Update your privacy policy and cookie banner to reflect the actual vendor list.

Step 6

Monitor for changes

Vendor stacks change. A tag manager update, a new marketing tool or a third-party script update can silently add a US vendor. Set up weekly monitoring so you are notified when the vendor list on your site changes.

Step 1 tool

StackPatrol does the discovery step

Before you can assess risk, you need a complete vendor inventory. That means loading your actual pages in a browser and recording every outbound request, not guessing from memory or checking the tag manager config.

StackPatrol loads your pages in headless Chromium, records every third-party domain, classifies each vendor by ownership region (US, EU, EEA, UK), and suggests European alternatives where they exist.

  • Detects US-owned vendors automatically
  • Shows parent company ownership, not just server location
  • Covers scripts, fonts, CDNs, pixels and embeds
  • Produces a shareable report for your DPO or legal team
  • Free, no signup, results in under 30 seconds
Sample output
Google Analytics 4Analytics
US
Google Tag ManagerTag Management
US
CloudflareCDN / Hosting
US
Plausible AnalyticsAnalytics
EU
CookiebotCookie Consent
EU

Free · No signup · Scans your front page and one additional page. Need a full site audit?

Common questions

Is Schrems II still relevant?
Yes. The EU-US Data Privacy Framework (DPF), adopted in July 2023, replaced the invalidated Privacy Shield and provides a new legal basis for transfers to certified US organisations. However, the DPF can be challenged in court (as its predecessors were), and many US vendors are not yet certified. You still need to verify each vendor individually.
Which US vendors on my site are covered by the DPF?
Only vendors that have self-certified under the DPF are covered. You can check the official list at dataprivacyframework.gov. Many smaller US vendors are not on the list. StackPatrol helps you identify which US vendors are on your site so you know which ones to check.
Do I need a Transfer Impact Assessment (TIA) for every US vendor?
A TIA (also called a Transfer Impact Assessment) is required when you rely on Standard Contractual Clauses (SCCs) as your transfer mechanism. If a vendor is DPF-certified, you use the DPF as the legal basis instead and a separate TIA is not required. Check with your legal counsel for your specific situation.
Does StackPatrol certify GDPR compliance?
No. StackPatrol is a technical discovery tool. It shows you which third-party vendors your website contacts and classifies them by ownership region. What you do with that information is a legal and business decision. We are not lawyers and this is not legal advice.
What is the difference between a data processor and a data controller?
A data controller decides why and how personal data is processed. A data processor handles data on behalf of a controller. In a Schrems II context, US analytics vendors like Google are often considered joint controllers or act in ways that go beyond pure processing. This matters for which legal basis you can rely on.
Our site uses Cloudflare. Is that a Schrems II issue?
Cloudflare is a US company but it is DPF-certified and typically acts as a data processor with EU data processing addenda available. The routing of traffic through US infrastructure is a separate question from personal data processing. Talk to your legal counsel if you need certainty.

This is not legal advice

StackPatrol is a technical scanner. It does not certify GDPR compliance and cannot tell you whether your specific use of a vendor is lawful. The information on this page is for general orientation only.

For advice specific to your organisation, consult a qualified data protection lawyer or a certified DPO.

Start with your inventory

Paste your URL below. StackPatrol scans your site in under 30 seconds and shows you every third-party vendor, where they are based, and whether European alternatives exist.

Free, no account needed. Useful as the first item on any Schrems II checklist.

Free · No signup · Scans your front page and one additional page. Need a full site audit?

European analytics alternatives|How the scanner works|Guide for agencies