International Data Transfers: GDPR Compliance in the Global Cloud

International transfers of personal data — any transmission of personal data to a country or international organisation outside the European Economic Area (EEA) — are regulated by Chapter V of the EU General Data Protection Regulation (GDPR, Articles 44–49). A transfer can only take place if the destination country benefits from an adequacy decision (Article 45), or if the exporter implements appropriate safeguards such as Standard Contractual Clauses (SCCs — Commission Decision 2021/914), Binding Corporate Rules (BCRs), or a Transfer Impact Assessment (TIA) confirming equivalent protection. The EU-US Data Privacy Framework (Commission Decision 2023/1795) currently provides an adequacy basis for transfers to certified US organisations. The Court of Justice of the EU's Schrems II judgment (Case C-311/18, July 2020) invalidated the previous Privacy Shield and requires case-by-case assessment of third-country legal systems for all SCCs-based transfers.

The globalisation of technology services has made international personal data transfers a daily reality for the vast majority of Spanish businesses, regardless of size. Using any US cloud service, CRM platform, analytics tool, or management software with non-EEA servers involves international transfers regulated by Chapter V of the GDPR. The problem is that many organisations make these transfers without valid safeguards — and without knowing it.

The Schrems II Legacy

The CJEU’s Schrems II judgment was a watershed moment whose full implications have still not been absorbed by the Spanish business community. The invalidation of the Privacy Shield and the requirement to conduct a Transfer Impact Assessment to verify that SCCs are practically effective in the destination country transformed a relatively straightforward exercise into a more complex legal and technical analysis. Companies that simply copied and pasted the 2021 SCCs into their vendor contracts without conducting the corresponding TIA remain non-compliant.

The 2021 SCCs introduced modular clauses covering four processing scenarios (controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor), replacing the three previous sets of clauses. This structural change means that organisations reviewing their international transfer contracts need to verify not only that new SCCs are in place, but that the correct module and addendum are used for each specific transfer relationship.

What the Audit Reveals

Complete mapping of international transfers is the indispensable starting point. In our experience, organisations typically identify 30 to 50 percent more transfers than they initially believed they were making: sub-processors that the primary vendor uses in third countries, technical support tools with remote access from outside the EEA, or backup solutions in non-European cloud regions that the provider activates by default. Each of these flows requires its own safeguard — sub-processor transfers are covered by the main processor’s SCCs only if those SCCs specifically authorise sub-processing and impose equivalent obligations down the chain.

For multinational groups, Binding Corporate Rules are the structural solution that allows intra-group transfers to be managed coherently without executing SCCs with each group entity individually. The approval process is complex, but the result is a legally robust instrument recognised by all European supervisory authorities. In a context where regulatory compliance is increasingly a competitive differentiator, an auditable and documented international transfer system is a genuine asset in due diligence processes and institutional client relationships.

The EU-US Data Privacy Framework: Current Status and Risk

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to US organisations that have self-certified to the DPF programme administered by the US Department of Commerce. It is currently the operative legal basis for the majority of EU-US transfers in standard cloud and SaaS contracts. However, the DPF is subject to the same legal challenges that invalidated the Privacy Shield and Safe Harbor before it: a third Schrems challenge is considered likely. Organisations that have structured their entire US transfer programme on the DPF adequacy decision should maintain a secondary SCCs-based framework in reserve. Our transfer audit service includes a DPF resilience assessment as standard — identifying which transfers rely exclusively on the adequacy decision and designing fallback safeguards for each.

Transfer Impact Assessments: The Practical Methodology

A Transfer Impact Assessment (TIA) is required for all transfers based on Standard Contractual Clauses where the destination country lacks an adequacy decision. The TIA must assess whether the laws and practices of the destination country — particularly government access powers — permit effective enforcement of the SCCs’ data protection obligations. For high-volume transfers to jurisdictions with documented surveillance concerns, the TIA must be completed to a standard that can withstand AEPD scrutiny. We conduct TIAs using a documented methodology aligned with the EDPB’s Recommendations 01/2020 on transfers.

Sub-Processor Chains and Controller Liability

The most under-managed dimension of international transfers is the sub-processor chain. When an organisation contracts with a primary processor that itself uses sub-processors in third countries, the original controller is responsible for ensuring that each link in the chain is covered by appropriate safeguards. Many organisations are unaware of the sub-processors their primary vendors use, or have not verified that onward transfer agreements include the required SCC clauses. The outsourced DPO service integrates this sub-processor monitoring function as an ongoing obligation, not a one-time audit.

International Transfers in M&A and Corporate Transactions

International data transfer compliance is an increasingly significant component of due diligence in corporate transactions. A target company that has been making unprotected transfers to US cloud vendors for years represents a regulatory liability that must be quantified in the deal. Transfer compliance audits as part of M&A due diligence are a standard component of our privacy advisory service for transactions involving European data-intensive businesses. Our impact assessment service integrates the DPIA dimension of these transfers for any processing activities that also require a risk assessment under Article 35 GDPR.

The EU-US Data Privacy Framework: Current Status and Risk

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to US organisations that have self-certified to the DPF programme administered by the US Department of Commerce. It is currently the operative legal basis for the majority of EU-US transfers in standard cloud and SaaS contracts. However, the DPF is subject to the same legal challenges that invalidated the Privacy Shield and Safe Harbor before it: a third Schrems challenge is considered likely. Organisations that have structured their entire US transfer programme on the DPF adequacy decision should maintain a secondary SCCs-based framework in reserve. Our transfer audit service includes a DPF resilience assessment as standard — identifying which transfers rely exclusively on the adequacy decision and designing fallback safeguards for each.

Transfer Impact Assessments: The Practical Methodology

A Transfer Impact Assessment (TIA) is required for all transfers based on Standard Contractual Clauses where the destination country lacks an adequacy decision. The TIA must assess whether the laws and practices of the destination country — particularly government access powers — permit effective enforcement of the SCCs’ data protection obligations. For high-volume transfers to jurisdictions with documented surveillance concerns, the TIA must be completed to a standard that can withstand AEPD scrutiny. We conduct TIAs using a documented methodology aligned with the EDPB’s Recommendations 01/2020 on transfers.

Sub-Processor Chains and Controller Liability

The most under-managed dimension of international transfers is the sub-processor chain. When an organisation contracts with a primary processor that itself uses sub-processors in third countries, the original controller is responsible for ensuring that each link in the chain is covered by appropriate safeguards. Many organisations are unaware of the sub-processors their primary vendors use, or have not verified that onward transfer agreements include the required SCC clauses. The outsourced DPO service integrates this sub-processor monitoring function as an ongoing obligation, not a one-time audit.

International Transfers in M&A and Corporate Transactions

International data transfer compliance is an increasingly significant component of due diligence in corporate transactions. A target company that has been making unprotected transfers to US cloud vendors for years represents a regulatory liability that must be quantified in the deal. Transfer compliance audits as part of M&A due diligence are a standard component of our privacy advisory service for transactions involving European data-intensive businesses. Our impact assessment service integrates the DPIA dimension of these transfers for any processing activities that also require a risk assessment under Article 35 GDPR.