International Data Transfers: SCCs after Schrems II

·

Every time a Spanish company sends customer or employee data to a cloud service provider based in the United States, it transfers personal data outside the European Economic Area (EEA). That seemingly routine act is governed by Chapter V of Regulation (EU) 2016/679 (GDPR) and requires a lawful transfer mechanism before the data crosses the border. Without one, the transfer is unlawful and may be sanctioned with up to EUR 20,000,000 or 4 % of total worldwide annual turnover under Article 83.5 of the GDPR.

This article analyses, with regulatory rigour, the mechanisms currently in force: adequacy decisions, 2021 Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework (DPF). It also explains how the Schrems II judgment of the Court of Justice of the European Union (CJEU) changed the rules of the game and why the Transfer Impact Assessment (TIA) is now indispensable.

Chapter V of the GDPR: the non-circumvention principle

Article 44 of the GDPR establishes the general principle governing international transfers: "Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor."

This principle has an immediate practical consequence: no other article of the GDPR — not the consent under Article 6, nor the legitimate interest — replaces the enabling mechanism of Chapter V. For an international transfer to be lawful, two simultaneous conditions must be met: a legal basis for processing within the EEA (Arts. 6 or 9 GDPR) and a Chapter V enabling mechanism to transfer those data outside the EEA.

Chapter V provides three main routes: adequacy decisions (Art. 45), appropriate safeguards (Art. 46, which includes Standard Contractual Clauses), and specific derogations for particular situations (Art. 49). Binding Corporate Rules (Art. 47, BCR) are also an appropriate safeguard, but are more complex to access due to the lengthy approval process before supervisory authorities.

Adequacy decisions (Article 45 of the GDPR)

When the European Commission finds that a third country provides a level of protection essentially equivalent to that of the EEA, it adopts an adequacy decision. Transfers to that country require no additional safeguard: the mechanism is the decision itself, and the company may transfer data as if it were doing so within the EEA.

As of 2026, countries with full or sectoral adequacy decisions include, among others, Andorra, Argentina, Canada (private sector), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the United Kingdom, the Republic of Korea, Switzerland and Uruguay. The list is updated periodically and each decision has a specific material scope that should be reviewed before assuming automatic coverage.

The most relevant development in recent years is the adequacy decision for transfers to US companies certified under the EU-US Data Privacy Framework (DPF), adopted on 10 July 2023 by Implementing Decision (EU) 2023/1795. This will be addressed in detail below.

Standard Contractual Clauses (SCC): legal basis and operation

When the destination country lacks an adequacy decision, the most common option for companies is to rely on the appropriate safeguards under Article 46 of the GDPR. Standard Contractual Clauses (SCC) are the most widely used instrument, under Article 46.2.c of the GDPR.

Their mechanics are simple in theory: the data exporter (in the EEA) and the data importer (outside the EEA) sign a contract incorporating the clauses approved by the European Commission. That contract imposes on the importer obligations equivalent to those under the GDPR and gives data subjects rights enforceable directly against the importer. If the importer fails to comply with its obligations, the exporter can and must suspend the transfer.

The problem exposed by Schrems II is that signing such a contract does not, on its own, guarantee that the importer will be able to comply with it in practice, if the legislation of the destination country requires companies to give intelligence services access to their data without European citizens having access to an effective judicial remedy.

The Schrems II judgment: the Privacy Shield falls, SCC survive with conditions

On 16 July 2020, the CJEU delivered its judgment in Case C-311/18 (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), known as Schrems II. The consequences were twofold:

This second consequence introduced into business practice the concept of the Transfer Impact Assessment (TIA), which the European Data Protection Board (EDPB) developed in its Recommendations 01/2020.

The 2021 SCCs: modular structure and adoption deadline

The European Commission adopted the new Standard Contractual Clauses by Implementing Decision (EU) 2021/914 of 4 June 2021. The 2021 SCCs replaced earlier versions (2001 and 2010) and incorporated the requirements arising from Schrems II. Their modular design covers four types of relationship between data exporter and data importer:

Module Relationship covered Typical example
Module 1 Controller → Controller US parent company receives data from its Spanish subsidiary
Module 2 Controller → Processor Spanish company contracts a SaaS hosted in the US
Module 3 Processor → Sub-processor European cloud provider sub-contracts storage in the US
Module 4 Processor → Controller Spanish subsidiary (processor) transfers data to the group (controller) in the US

The transitional period for migrating from old SCCs to the 2021 versions expired on 27 December 2022. From that date, only the 2021 SCCs are valid as an enabling mechanism. Old clauses still appearing in existing contracts with non-EEA importers have no legal effect for these purposes and must be updated.

The Transfer Impact Assessment (TIA)

The Transfer Impact Assessment (TIA) is the analysis that the data exporter must carry out to verify whether the SCCs can be effective in the destination country. There is no single official format, but the EDPB describes in its Recommendations 01/2020 a process that in practice is addressed in three phases:

  1. Know the transfer: identify what personal data are transferred, to which country, for what purpose, under which SCC module and who the importer is.
  2. Identify the enabling mechanism: verify that signed 2021 SCCs or another valid mechanism (adequacy decision, BCR, etc.) are in place.
  3. Assess practical effectiveness: analyse the legal framework of the destination country — surveillance legislation, access by public authorities, judicial remedies available to data subjects — and determine whether the importer can comply with its SCC obligations in that context. If not, supplementary measures must be adopted or the transfer must be suspended.

Supplementary measures may be technical (end-to-end encryption preventing the importer from decrypting the data, pseudonymisation, decryption operations only within the EEA), contractual (additional obligations on the importer to resist and notify access requests from authorities) or organisational (procedures to detect and manage abusive requests). These measures are not a mere formality: if the law of the destination country legally obliges the importer to disclose the data and there is no effective remedy for data subjects, even the best technical measures cannot legally save the transfer.

At Summum Consultoría, we support organisations in their GDPR compliance, including mapping international transfers and preparing the corresponding TIAs, tailored to the sector and size of each company. The practical approach we apply aims to ensure that each measure adopted is proportionate and duly documented in the event of an inspection by the Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos).

The EU-US Data Privacy Framework: the new Privacy Shield?

On 10 July 2023, the European Commission adopted Implementing Decision (EU) 2023/1795, granting adequacy to transfers of data to US companies certified under the EU-US Data Privacy Framework (DPF). US companies that voluntarily certify with the US Department of Commerce are covered by this decision, without needing SCCs or a TIA for transfers within the scope of their certification.

The main innovations of the DPF compared to the invalidated Privacy Shield are:

However, the DPF is not free from uncertainty. Privacy activists announced in 2023 their intention to challenge it before the CJEU, arguing that the reforms are insufficient to eliminate the deficiencies that motivated Schrems II. Until a new invalidation ruling exists, the DPF is a legally valid mechanism and companies may rely on it. Nevertheless, it is prudent to document the provider's certification for each transfer operation, given the litigation context.

If the US provider is not certified under the DPF, or if its certification does not cover the category of data or the specific processing purpose, the Spanish exporting company must use the 2021 SCCs and complete the corresponding TIA.

Comparative overview of transfer mechanisms

Mechanism GDPR legal basis TIA required? Additional contract required? Status in 2026
Adequacy decision Art. 45 No No Valid (country-dependent)
SCC 2021 Art. 46.2.c Yes Yes (modular clauses) Valid
EU-US DPF Art. 45 (Dec. 2023/1795) No (if provider certified) No Valid (subject to possible judicial challenge)
Binding Corporate Rules (BCR) Art. 47 Yes Yes (supervisory authority approval) Valid (lengthy and complex process)
Specific derogations Art. 49 No No For specific cases only; not for systematic use
Privacy Shield Former Art. 45 Invalid (Schrems II judgment, July 2020)
Old SCCs (2001/2010) Former Art. 46 Invalid since 27 December 2022

Consequences of non-compliance

International transfers without an enabling mechanism constitute a serious infringement of the GDPR. Article 83.5.c classifies non-compliance with Chapter V as subject to fines of up to EUR 20,000,000 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales) supplements the sanctioning regime under Spanish law without modifying the maximum thresholds set out in the European Regulation.

Beyond financial penalties, the AEPD may order the precautionary suspension of the transfer while investigating the infringement. This can interrupt access to SaaS tools, cloud platforms or analytics services with servers outside the EEA, with a significant operational impact on the affected organisation.

If you wish to review your organisation's international transfer map and align it with current regulations, the data protection team at Summum Consultoría is at your disposal across our five offices in Castilla y León and the Canary Islands — Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas. Since 2007 we have been supporting organisations in their regulatory compliance, with a practical approach tailored to the reality of each organisation.

Frequently asked questions

Can I continue using the 2010 SCCs if I already had them signed with my providers?

No. The transitional period for migrating to the 2021 SCCs expired on 27 December 2022. Earlier versions of the Standard Contractual Clauses (2001 and 2010) are no longer a valid enabling mechanism. If your contracts with non-EEA providers still include the old SCCs, you must update them to the 2021 version adopted by Implementing Decision (EU) 2021/914. Keeping the old SCCs means having no enabling mechanism, with the resulting exposure to sanctions.

If my US provider is certified under the EU-US DPF, do I need to do anything else?

You must verify that the certification in the DPF public registry is active and current at the time of the transfer, and that it covers the category of data you are transferring (human resources data and data of non-employee individuals are covered under different certification scopes). If the certification covers your transfer, you do not need SCCs or a TIA. However, it is advisable to document that verification as part of the Record of Processing Activities (Art. 30 GDPR), especially given the context of a possible judicial challenge to the DPF. If the CJEU ever invalidates the DPF, you must have 2021 SCCs with a TIA ready as an immediate alternative.

How does the Transfer Impact Assessment (TIA) differ from a DPIA?

The Transfer Impact Assessment (TIA) analyses specifically whether the chosen enabling mechanism — normally the SCCs — can be effective in the destination country, focusing on that country's legal framework and the risks to data subjects arising from possible access by foreign authorities. The Data Protection Impact Assessment (DPIA), regulated in Article 35 of the GDPR, analyses the risks of the processing itself to the rights and freedoms of data subjects, regardless of whether there is an international transfer. They are distinct and complementary analyses: the same processing operation may require both. You can find more information in our article on how to carry out a DPIA step by step.

Can the AEPD investigate whether our company makes international transfers without an enabling mechanism?

Yes. The AEPD may open proceedings on its own initiative or following a complaint — for example, from an employee or customer whose data are transferred to a non-EEA provider without coverage — to verify the existence of an enabling mechanism. If it finds that such a mechanism is absent, it may impose corrective measures, order the immediate suspension of the transfer and initiate sanctioning proceedings under Article 83.5 of the GDPR. Having well-organised documentation of the TIAs carried out and the SCC contracts signed is the best evidence of due diligence in an inspection.