Thomson Reuters transfers personal data internationally and states it uses legal mechanisms such as Standard Contractual Clauses to make those transfers lawful under EU and UK data protection law.
This analysis describes what Thomson Reuters's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers are a key compliance area under GDPR; the sufficiency of transfer mechanisms depends on whether Thomson Reuters has conducted Transfer Impact Assessments, particularly for transfers to the United States.
Interpretive note: The statement does not specify which transfer mechanism applies to which processing activity or destination country, and does not confirm whether Transfer Impact Assessments have been conducted for U.S. transfers.
Your personal data held by Thomson Reuters may be transferred to and processed in countries outside your own, including the United States, under legal mechanisms that are subject to ongoing regulatory scrutiny, particularly in the EU and UK.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Thomson Reuters has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When we transfer personal information across international borders, we do so in compliance with applicable data protection laws. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognised transfer tools.— Excerpt from Thomson Reuters's Thomson Reuters Privacy
REGULATORY LANDSCAPE: Cross-border transfers from the EU and EEA engage GDPR Chapter V, including the requirements for Standard Contractual Clauses (updated 2021 SCCs), adequacy decisions, and Binding Corporate Rules. The EU-US Data Privacy Framework provides an adequacy mechanism for transfers to certified U.S. organisations. UK GDPR and the UK's International Data Transfer Agreement (IDTA) govern transfers from the UK. The statement does not specify which mechanism applies to which transfer, which is a gap compliance teams should address. GOVERNANCE EXPOSURE: Medium. Standard Contractual Clauses are a well-established mechanism, but the Schrems II ruling established that SCCs must be accompanied by Transfer Impact Assessments (TIAs) where the destination country's surveillance laws could undermine the protections. Thomson Reuters' U.S. headquarters and operations create this obligation for EU and UK-facing transfers. Failure to maintain TIAs could expose enterprise customers who rely on Thomson Reuters as a data processor to regulatory challenge. JURISDICTION FLAGS: EU and EEA regulators, particularly the Irish DPC (where Thomson Reuters may have EU establishment), the German DPAs, and the French CNIL, have been active in scrutinising U.S. data transfers. UK ICO has separate transfer requirements under the IDTA. Swiss data protection law also requires separate transfer mechanisms. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request confirmation of which specific transfer mechanisms Thomson Reuters relies on for their data, and whether TIAs have been conducted covering relevant destination countries. DPAs should specify the applicable transfer mechanism by processing activity. Procurement teams should flag the absence of mechanism-specific disclosure in the public statement as a due diligence gap. COMPLIANCE CONSIDERATIONS: Compliance teams should update data transfer impact assessments to reflect Thomson Reuters as a sub-processor or processor, confirm the vintage and applicability of any SCCs in place (2021 updated SCCs should be used for new agreements), and assess whether the EU-US Data Privacy Framework certification status of Thomson Reuters covers relevant processing activities.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers are a key compliance area under GDPR; the sufficiency of transfer mechanisms depends on whether Thomson Reuters has conducted Transfer Impact Assessments, particularly for transfers to the United States.
Your personal data held by Thomson Reuters may be transferred to and processed in countries outside your own, including the United States, under legal mechanisms that are subject to ongoing regulatory scrutiny, particularly in the EU and UK.
ConductAtlas has identified this type of provision across 84 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Thomson Reuters.