International Data Transfers: GDPR Compliance in the Global Cloud

International transfers of personal data — any transmission of personal data to a country or international organisation outside the European Economic Area (EEA) — are regulated by Chapter V of the EU General Data Protection Regulation (GDPR, Articles 44–49). A transfer can only take place if the destination country benefits from an adequacy decision (Article 45), or if the exporter implements appropriate safeguards such as Standard Contractual Clauses (SCCs — Commission Decision 2021/914), Binding Corporate Rules (BCRs), or a Transfer Impact Assessment (TIA) confirming equivalent protection. The EU-US Data Privacy Framework (Commission Decision 2023/1795) currently provides an adequacy basis for transfers to certified US organisations. The Court of Justice of the EU's Schrems II judgment (Case C-311/18, July 2020) invalidated the previous Privacy Shield and requires case-by-case assessment of third-country legal systems for all SCCs-based transfers.

The globalisation of technology services has made international personal data transfers a daily reality for the vast majority of Spanish businesses, regardless of size. Using any US cloud service, CRM platform, analytics tool, or management software with non-EEA servers involves international transfers regulated by Chapter V of the GDPR. The problem is that many organisations make these transfers without valid safeguards — and without knowing it.

The Schrems II Legacy

The CJEU’s Schrems II judgment was a watershed moment whose full implications have still not been absorbed by the Spanish business community. The invalidation of the Privacy Shield and the requirement to conduct a Transfer Impact Assessment to verify that SCCs are practically effective in the destination country transformed a relatively straightforward exercise into a more complex legal and technical analysis. Companies that simply copied and pasted the 2021 SCCs into their vendor contracts without conducting the corresponding TIA remain non-compliant.

The 2021 SCCs introduced modular clauses covering four processing scenarios (controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor), replacing the three previous sets of clauses. This structural change means that organisations reviewing their international transfer contracts need to verify not only that new SCCs are in place, but that the correct module and addendum are used for each specific transfer relationship.

What the Audit Reveals

Complete mapping of international transfers is the indispensable starting point. In our experience, organisations typically identify 30 to 50 percent more transfers than they initially believed they were making: sub-processors that the primary vendor uses in third countries, technical support tools with remote access from outside the EEA, or backup solutions in non-European cloud regions that the provider activates by default. Each of these flows requires its own safeguard — sub-processor transfers are covered by the main processor’s SCCs only if those SCCs specifically authorise sub-processing and impose equivalent obligations down the chain.

For multinational groups, Binding Corporate Rules are the structural solution that allows intra-group transfers to be managed coherently without executing SCCs with each group entity individually. The approval process is complex, but the result is a legally robust instrument recognised by all European supervisory authorities. In a context where regulatory compliance is increasingly a competitive differentiator, an auditable and documented international transfer system is a genuine asset in due diligence processes and institutional client relationships.