Thomson Reuters transfers personal data internationally and states it uses legal mechanisms such as Standard Contractual Clauses to make those transfers lawful under EU and UK data protection law.
This analysis describes what Thomson Reuters's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers are a key compliance area under GDPR; the sufficiency of transfer mechanisms depends on whether Thomson Reuters has conducted Transfer Impact Assessments, particularly for transfers to the United States.
Interpretive note: The statement does not specify which transfer mechanism applies to which processing activity or destination country, and does not confirm whether Transfer Impact Assessments have been conducted for U.S. transfers.
Your personal data held by Thomson Reuters may be transferred to and processed in countries outside your own, including the United States, under legal mechanisms that are subject to ongoing regulatory scrutiny, particularly in the EU and UK.
How other platforms handle this
OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by tho...
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
We may transfer your personal information to countries other than the country in which you live. We transfer personal data from the European Economic Area, United Kingdom, and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level ...
Monitoring
Thomson Reuters has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When we transfer personal information across international borders, we do so in compliance with applicable data protection laws. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognised transfer tools.— Excerpt from Thomson Reuters's Thomson Reuters Privacy
REGULATORY LANDSCAPE: Cross-border transfers from the EU and EEA engage GDPR Chapter V, including the requirements for Standard Contractual Clauses (updated 2021 SCCs), adequacy decisions, and Binding Corporate Rules. The EU-US Data Privacy Framework provides an adequacy mechanism for transfers to certified U.S. organisations. UK GDPR and the UK's International Data Transfer Agreement (IDTA) govern transfers from the UK. The statement does not specify which mechanism applies to which transfer, which is a gap compliance teams should address. GOVERNANCE EXPOSURE: Medium. Standard Contractual Clauses are a well-established mechanism, but the Schrems II ruling established that SCCs must be accompanied by Transfer Impact Assessments (TIAs) where the destination country's surveillance laws could undermine the protections. Thomson Reuters' U.S. headquarters and operations create this obligation for EU and UK-facing transfers. Failure to maintain TIAs could expose enterprise customers who rely on Thomson Reuters as a data processor to regulatory challenge. JURISDICTION FLAGS: EU and EEA regulators, particularly the Irish DPC (where Thomson Reuters may have EU establishment), the German DPAs, and the French CNIL, have been active in scrutinising U.S. data transfers. UK ICO has separate transfer requirements under the IDTA. Swiss data protection law also requires separate transfer mechanisms. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request confirmation of which specific transfer mechanisms Thomson Reuters relies on for their data, and whether TIAs have been conducted covering relevant destination countries. DPAs should specify the applicable transfer mechanism by processing activity. Procurement teams should flag the absence of mechanism-specific disclosure in the public statement as a due diligence gap. COMPLIANCE CONSIDERATIONS: Compliance teams should update data transfer impact assessments to reflect Thomson Reuters as a sub-processor or processor, confirm the vintage and applicability of any SCCs in place (2021 updated SCCs should be used for new agreements), and assess whether the EU-US Data Privacy Framework certification status of Thomson Reuters covers relevant processing activities.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers are a key compliance area under GDPR; the sufficiency of transfer mechanisms depends on whether Thomson Reuters has conducted Transfer Impact Assessments, particularly for transfers to the United States.
Your personal data held by Thomson Reuters may be transferred to and processed in countries outside your own, including the United States, under legal mechanisms that are subject to ongoing regulatory scrutiny, particularly in the EU and UK.
ConductAtlas has identified this type of provision across 78 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Thomson Reuters.