International Data Transfers: GDPR Compliance in the Global Cloud

International transfers of personal data — any transmission of personal data to a country or international organisation outside the European Economic Area (EEA) — are regulated by Chapter V of the EU General Data Protection Regulation (GDPR, Articles 44–49). A transfer can only take place if the destination country benefits from an adequacy decision (Article 45), or if the exporter implements appropriate safeguards such as Standard Contractual Clauses (SCCs — Commission Decision 2021/914), Binding Corporate Rules (BCRs), or a Transfer Impact Assessment (TIA) confirming equivalent protection. The EU-US Data Privacy Framework (Commission Decision 2023/1795) currently provides an adequacy basis for transfers to certified US organisations. The Court of Justice of the EU's Schrems II judgment (Case C-311/18, July 2020) invalidated the previous Privacy Shield and requires case-by-case assessment of third-country legal systems for all SCCs-based transfers.

The globalisation of technology services has made international personal data transfers a daily reality for the vast majority of Spanish businesses, regardless of size. Using any US cloud service, CRM platform, analytics tool, or management software with non-EEA servers involves international transfers regulated by Chapter V of the GDPR. The problem is that many organisations make these transfers without valid safeguards — and without knowing it.

The Schrems II Legacy

The CJEU’s Schrems II judgment was a watershed moment whose full implications have still not been absorbed by the Spanish business community. The invalidation of the Privacy Shield and the requirement to conduct a Transfer Impact Assessment to verify that SCCs are practically effective in the destination country transformed a relatively straightforward exercise into a more complex legal and technical analysis. Companies that simply copied and pasted the 2021 SCCs into their vendor contracts without conducting the corresponding TIA remain non-compliant.

The 2021 SCCs introduced modular clauses covering four processing scenarios (controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor), replacing the three previous sets of clauses. This structural change means that organisations reviewing their international transfer contracts need to verify not only that new SCCs are in place, but that the correct module and addendum are used for each specific transfer relationship.

What the Audit Reveals

Complete mapping of international transfers is the indispensable starting point. In our experience, organisations typically identify 30 to 50 percent more transfers than they initially believed they were making: sub-processors that the primary vendor uses in third countries, technical support tools with remote access from outside the EEA, or backup solutions in non-European cloud regions that the provider activates by default. Each of these flows requires its own safeguard — sub-processor transfers are covered by the main processor’s SCCs only if those SCCs specifically authorise sub-processing and impose equivalent obligations down the chain.

For multinational groups, Binding Corporate Rules are the structural solution that allows intra-group transfers to be managed coherently without executing SCCs with each group entity individually. The approval process is complex, but the result is a legally robust instrument recognised by all European supervisory authorities. In a context where regulatory compliance is increasingly a competitive differentiator, an auditable and documented international transfer system is a genuine asset in due diligence processes and institutional client relationships.

The EU-US Data Privacy Framework: Current Status and Risk

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to US organisations that have self-certified to the DPF programme administered by the US Department of Commerce. It is currently the operative legal basis for the majority of EU-US transfers in standard cloud and SaaS contracts. However, the DPF is subject to the same legal challenges that invalidated the Privacy Shield and Safe Harbor before it: a third Schrems challenge is considered likely. Organisations that have structured their entire US transfer programme on the DPF adequacy decision should maintain a secondary SCCs-based framework in reserve. Our transfer audit service includes a DPF resilience assessment as standard — identifying which transfers rely exclusively on the adequacy decision and designing fallback safeguards for each.

Transfer Impact Assessments: The Practical Methodology

A Transfer Impact Assessment (TIA) is required for all transfers based on Standard Contractual Clauses where the destination country lacks an adequacy decision. The TIA must assess whether the laws and practices of the destination country — particularly government access powers — permit effective enforcement of the SCCs’ data protection obligations. For high-volume transfers to jurisdictions with documented surveillance concerns, the TIA must be completed to a standard that can withstand AEPD scrutiny. We conduct TIAs using a documented methodology aligned with the EDPB’s Recommendations 01/2020 on transfers.

Sub-Processor Chains and Controller Liability

The most under-managed dimension of international transfers is the sub-processor chain. When an organisation contracts with a primary processor that itself uses sub-processors in third countries, the original controller is responsible for ensuring that each link in the chain is covered by appropriate safeguards. Many organisations are unaware of the sub-processors their primary vendors use, or have not verified that onward transfer agreements include the required SCC clauses. The outsourced DPO service integrates this sub-processor monitoring function as an ongoing obligation, not a one-time audit.

International Transfers in M&A and Corporate Transactions

International data transfer compliance is an increasingly significant component of due diligence in corporate transactions. A target company that has been making unprotected transfers to US cloud vendors for years represents a regulatory liability that must be quantified in the deal. Transfer compliance audits as part of M&A due diligence are a standard component of our privacy advisory service for transactions involving European data-intensive businesses. Our impact assessment service integrates the DPIA dimension of these transfers for any processing activities that also require a risk assessment under Article 35 GDPR.

The EU-US Data Privacy Framework: Current Status and Risk

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to US organisations that have self-certified to the DPF programme administered by the US Department of Commerce. It is currently the operative legal basis for the majority of EU-US transfers in standard cloud and SaaS contracts. However, the DPF is subject to the same legal challenges that invalidated the Privacy Shield and Safe Harbor before it: a third Schrems challenge is considered likely. Organisations that have structured their entire US transfer programme on the DPF adequacy decision should maintain a secondary SCCs-based framework in reserve. Our transfer audit service includes a DPF resilience assessment as standard — identifying which transfers rely exclusively on the adequacy decision and designing fallback safeguards for each.

Transfer Impact Assessments: The Practical Methodology

A Transfer Impact Assessment (TIA) is required for all transfers based on Standard Contractual Clauses where the destination country lacks an adequacy decision. The TIA must assess whether the laws and practices of the destination country — particularly government access powers — permit effective enforcement of the SCCs’ data protection obligations. For high-volume transfers to jurisdictions with documented surveillance concerns, the TIA must be completed to a standard that can withstand AEPD scrutiny. We conduct TIAs using a documented methodology aligned with the EDPB’s Recommendations 01/2020 on transfers.

Sub-Processor Chains and Controller Liability

The most under-managed dimension of international transfers is the sub-processor chain. When an organisation contracts with a primary processor that itself uses sub-processors in third countries, the original controller is responsible for ensuring that each link in the chain is covered by appropriate safeguards. Many organisations are unaware of the sub-processors their primary vendors use, or have not verified that onward transfer agreements include the required SCC clauses. The outsourced DPO service integrates this sub-processor monitoring function as an ongoing obligation, not a one-time audit.

International Transfers in M&A and Corporate Transactions

International data transfer compliance is an increasingly significant component of due diligence in corporate transactions. A target company that has been making unprotected transfers to US cloud vendors for years represents a regulatory liability that must be quantified in the deal. Transfer compliance audits as part of M&A due diligence are a standard component of our privacy advisory service for transactions involving European data-intensive businesses. Our impact assessment service integrates the DPIA dimension of these transfers for any processing activities that also require a risk assessment under Article 35 GDPR.

The EU-US Data Privacy Framework and its stability

The EU-US Data Privacy Framework (DPF) — adopted by the European Commission in July 2023 — restores an adequacy basis for transfers to certified US companies. DPF-certified organisations can receive personal data from the EU without requiring SCCs or other supplementary measures. However, the DPF’s long-term stability remains uncertain: the Schrems III challenge filed by NOYB in August 2023 is working through the CJEU and a further invalidation cannot be excluded. Companies relying solely on DPF adequacy for their US transfers should maintain SCC-equivalent agreements as a contingency.

Binding Corporate Rules: the enterprise transfer mechanism

For multinational groups transferring personal data between entities within the group, Binding Corporate Rules (BCRs) under GDPR Article 47 provide the most structurally robust transfer mechanism — but they require approval by the lead supervisory authority and are a multi-year implementation project suitable only for large enterprises. The AEPD co-operates in BCR approval for groups headquartered in Spain. Our privacy team advises on BCR feasibility assessment and implementation strategy for qualifying groups, and provides interim SCC coverage during the BCR approval process.

Practical transfer impact assessment (TIA)

For transfers to third countries without an adequacy decision, the Schrems II judgment requires a Transfer Impact Assessment (TIA) before SCCs can be relied upon. The TIA must assess whether the laws and practices of the recipient country allow the data importer to comply with the SCC obligations — particularly in the context of government access to data. Our TIA methodology draws on the EDPB Recommendations 01/2020 supplementary measures framework and jurisdiction-specific legal assessments for the most common transfer destinations (US, India, China, UK post-Brexit).

Contact our privacy team for a comprehensive international data transfer audit covering your organisation’s actual transfer flows — not just the ones you are aware of.

Data localisation and sovereignty considerations

Beyond GDPR compliance, Spanish and European organisations increasingly face data sovereignty requirements — contractual, regulatory, or reputational — that require personal or sensitive data to remain within specific geographic boundaries. Public sector contracts, healthcare data, and financial services data often carry explicit data localisation requirements that go beyond GDPR’s transfer mechanism framework.

Our international data transfer advisory includes data localisation assessment: mapping which data flows carry localisation requirements, whether cloud providers’ EU-region offerings genuinely meet those requirements (technical architecture review, not just contractual representations), and designing architectures that achieve operational objectives within localisation constraints.

Common pitfalls in transfer compliance

Relying on outdated SCCs: the 2021 SCCs replaced the prior 2001/2004 versions, which have been invalid since December 2022. Companies that have not refreshed their processing agreements may still be relying on invalid SCCs.

Ignoring derogations: GDPR Article 49 provides derogations (occasional transfers for contract performance, vital interests, legal claims) that are frequently overlooked or misapplied. These are narrow exceptions, not general-purpose transfer mechanisms, but they are legitimate options in specific circumstances.

Cloud provider compliance theatre: major cloud providers offer compliance documentation (Privacy Shield successors, SCCs, DPAs) that appears comprehensive but may not cover specific service configurations, sub-processor relationships, or government access provisions in the relevant jurisdiction. Our transfer audit assesses actual cloud configurations, not just standard compliance documentation.

Contact our privacy team for a comprehensive review of your international data transfer architecture.

Self-diagnostic: are your international data transfers compliant?

• Have you mapped all personal data flows that cross EEA borders, including flows to cloud providers and SaaS platforms?
• Does each identified transfer rely on a valid GDPR Chapter V mechanism (adequacy decision, SCCs, BCRs, derogation)?
• Are SCCs from 2021 (not the prior 2001/2004 versions) in place for all non-adequacy transfers?
• Have TIAs been conducted for transfers to jurisdictions where government access to data is a concern?
• Are sub-processor onward transfer chains covered by SCCs that flow through from your primary processor agreement?

Contact our privacy team for an international data transfer audit. The assessment maps actual data flows (not just documented flows), identifies transfer gaps, and delivers a remediation plan prioritised by regulatory risk.