Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026

The Legal Mechanisms Spanish Businesses Use Most

Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are the most widely used transfer mechanism globally. They are pre-approved model contract terms issued by the European Commission that create legally binding data protection obligations between the EU data exporter and the non-EU data importer.

The current version of the SCCs was adopted on 4 June 2021. They replaced the previous three sets of older SCCs and introduced a modular structure with four modules covering different transfer scenarios: controller to controller, controller to processor, processor to processor, and processor to controller.

SCCs can be implemented relatively quickly. Unlike Binding Corporate Rules (see below), they do not require prior approval from a data protection authority. However, signing SCCs is no longer sufficient on its own.

Transfer Impact Assessments (TIAs)

A Transfer Impact Assessment is a structured evaluation of whether the legal and regulatory environment of the destination country is compatible with GDPR standards. It focuses particularly on government surveillance powers, whether authorities can access data without judicial oversight, and what legal remedies are available to EU data subjects in that country.

The French data protection authority CNIL published finalised TIA guidance in January 2025, which provides a practical step-by-step methodology. While this is French guidance, it closely follows the European Data Protection Board’s recommendations and represents the clearest practical framework currently available to EU businesses.

If your TIA reveals that the destination country’s laws undermine the protections in your SCCs, you must implement supplementary technical measures — such as end-to-end encryption — before proceeding. If no supplementary measure can adequately close the gap, the transfer must not take place.

Binding Corporate Rules (BCRs)

Binding Corporate Rules are internal policies that allow multinational corporate groups to transfer personal data between entities within the group, even to countries without adequacy decisions. They create GDPR-level standards across all group entities globally.

BCRs must be approved by a competent EU data protection authority before use — a process that typically takes one to two years and involves significant legal resources. For this reason, BCRs are mainly used by large multinational corporations rather than SMEs.

If your business is a subsidiary or division of a larger international group that already has approved BCRs, you may be able to rely on those for intra-group transfers. Check with your group’s DPO or legal team.

The EU–US Data Privacy Framework (DPF)

The EU–US Data Privacy Framework was adopted by the European Commission in July 2023 as the successor to the invalidated Privacy Shield mechanism. It allows US companies that have self-certified compliance with the DPF to receive personal data from the EU without needing SCCs or a TIA.

If you transfer data to a US-based service provider, the first thing to check is whether that provider is certified under the DPF. You can verify certification at the official DPF website (dataprivacyframework.gov). Many major cloud and technology providers are certified.

However, the DPF’s long-term stability is not guaranteed. A legal challenge brought before the Court of Justice of the EU remains pending as of publication. Additionally, political developments in the US — including the dismissal of members of the oversight body in January 2025 — have raised questions about whether the DPF’s redress mechanism remains fully operational. Privacy advocates, including the group noyb, have argued the framework could be challenged again.

The practical advice for Spanish businesses: use the DPF for US transfers where it is available, but maintain SCCs with your key US providers as a backup mechanism. That way, if the DPF is invalidated, your transfers do not become unlawful overnight.

What the AEPD Has Said and Done

Spain’s data protection authority has demonstrated it will actively enforce the international transfer rules. The AEPD fined Google €10 million for unlawful transfers of personal data — one of the clearest signals that the authority treats this area with the same seriousness as it treats consent violations or security failures.

More broadly, the AEPD’s enforcement trend is unmistakable. Total fines in 2024 reached a record €35.5 million — a 19% increase on the previous year. The authority has shifted its focus from high-volume, low-value sanctions to targeted, high-impact cases with substantially larger penalties. International transfers, biometric data, and AI-related processing are all within its current enforcement priorities.

The AEPD follows GDPR Chapter V without adding significant national-level restrictions beyond the standard framework. This means Spanish businesses rely on the same transfer mechanisms available across the EU — but they must be properly implemented, documented, and regularly reviewed.

Common Scenarios Spanish Businesses Get Wrong

Using US software without checking the DPF or implementing SCCs

If your business uses US tools like Google Workspace, Salesforce, HubSpot, Mailchimp, or Zoom, you are almost certainly transferring personal data to the US. Many of these providers are DPF-certified or offer SCCs as part of their data processing agreements. But you need to actively confirm this — and keep a record that you did.

Assuming data residency solves the problem

Choosing a cloud provider that stores data in Frankfurt or Dublin does not necessarily mean your transfer obligations are met. If the provider is a US-incorporated company subject to the US CLOUD Act, the risk of government access to data persists regardless of server location. You still need SCCs or another transfer mechanism.

Not reviewing third-party processors

If you use a data processor — a third party that processes personal data on your behalf — you are responsible for ensuring that processor has appropriate transfer safeguards in place, including for any sub-processors they use. Under GDPR Article 28, your Data Processing Agreement with that provider must address international transfers. Simply signing a DPA is not enough if it does not cover onward transfers and sub-processors.

Relying on outdated SCCs

The 2021 SCCs replaced all previous sets. If your business signed SCCs before December 2022 and never updated them, you may be operating under clauses that are no longer compliant. Check all your data processing agreements now.

No TIA documentation

Many businesses use SCCs but have no documented Transfer Impact Assessment to accompany them. Following the Schrems II ruling, a TIA is not optional — it is a legal requirement when relying on SCCs. Without documentation, you have no accountability evidence and no defence in an investigation.

A Practical Compliance Checklist for International Transfers

Use this checklist to assess and improve your current position.

• Map all outbound data flows. Identify every transfer of personal data outside the EEA — including data shared with software providers, cloud services, outsourcing partners, and group entities.
• Check adequacy status for each destination country. Verify whether the country has a current adequacy decision before assuming you can transfer freely.
• Verify DPF certification for US recipients. For US-based providers, check dataprivacyframework.gov to confirm their certification status.
• Implement SCCs with non-adequate country providers. Use the 2021 SCCs and select the correct module for your transfer scenario.
• Conduct and document a TIA for each SCC-based transfer. Assess the destination country’s legal framework and document your conclusions. If supplementary measures are needed, implement and record them.
• Review Data Processing Agreements. Ensure every DPA with a third-party processor covers international transfers and sub-processor obligations.
• Keep your transfer records in your Record of Processing Activities (RoPA). Your RoPA should record not just what data you process but where it goes and what transfer mechanism you rely on.
• Set a review schedule. Adequacy decisions can be revoked. The DPF may be challenged. Transfer mechanisms should be reviewed at least annually or when material changes occur.

How This Connects to the Rest of Your GDPR Compliance Programme

International data transfers do not exist in isolation. They intersect with several other areas of GDPR compliance that are covered in more depth across our content cluster:

• Your Record of Processing Activities must include details of all international transfers, including the safeguards you rely on. This connects directly to the accountability principle.
• If you use AI tools that process personal data and those tools are hosted outside the EU, you have both a GDPR transfer obligation and — after 2 August 2026 — obligations under the EU AI Act. See our guide: GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026.
• If a data breach involves personal data that has been transferred outside the EU, your 72-hour notification obligation to the AEPD still applies. See: How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained.
• Understanding Spain’s LOPDGDD alongside GDPR is essential for a complete picture of your obligations. See: GDPR vs. Spain’s LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both.

Build the Knowledge to Get International Transfers Right

Understanding the rules for international data transfers is one thing. Building the documentation, conducting proper TIAs, reviewing your supplier agreements, and keeping everything updated as the regulatory landscape evolves is a sustained compliance programme.

The EU GDPR Compliance and Data Protection for Businesses course from the Spanish Compliance Institute is designed to give you exactly that — a complete, structured programme built for the Spanish and EU regulatory environment your business operates in.

Across five modules, you will cover everything from the foundational principles of GDPR to advanced topics including risk assessment, third-party processor management, and the data protection implications of emerging technologies. The course includes 18 downloadable templates, among them the tools you need to document your international transfers, assess destination country risks, and maintain compliant supplier agreements.

Whether you are a business owner getting compliant for the first time or a compliance professional building a formal programme, the course provides the structure and practical tools to get it done properly.