Skip to main content

International Data Transfer Agreement Spain (Transferencia Internacional de Datos)

Key facts

SpainSpainEnglish (ES)FreePDF & WordUpdated Jun 6, 2026
Legal basisSpainNotarization: Not requiredWitnesses: 0Parties: 2
International Data Transfer Agreement (Transferencia Internacional de Datos)
International Data Transfer Agreement Spain (Transferencia Internacional de Datos)

ACUERDO DE TRANSFERENCIA INTERNACIONAL DE DATOS PERSONALES

Acuerdo de Transferencia Internacional de Datos

Regulado por el Reglamento (UE) 2016/679 (RGPD), artículo 46, y la Ley Orgánica 3/2018 (LOPDGDD)

Cláusulas Contractuales Tipo — Decisión de Ejecución (UE) 2021/914 de la Comisión, de 4 de junio de 2021

1. PARTES

EXPORTADOR DE DATOS:

Denominación social: [Exporter Name]

Domicilio registral: [Exporter Address]

Representante legal: [Exporter Representative]

Contacto del DPD: [Exporter DPO]

Función: [Exporter Role]

IMPORTADOR DE DATOS — PAÍS TERCERO:

Denominación social: [Importer Name]

Representante legal: [Importer Representative]

Función: [Importer Role]

2. MECANISMO DE TRANSFERENCIA

Este Acuerdo de Transferencia Internacional de Datos se establece conforme al artículo 46 del Reglamento (UE) 2016/679 (RGPD) empleando el siguiente mecanismo de transferencia: [SCC Module], adoptado por la Comisión Europea mediante la Decisión de Ejecución (UE) 2021/914 de 4 de junio de 2021 (Cláusulas Contractuales Tipo).

Las partes confirman que las Cláusulas Contractuales Tipo (SCC) aplicables a esta transferencia se incorporan íntegramente a este acuerdo como anexo obligatorio y no pueden modificarse. La ley aplicable a este acuerdo es la ley española (Ley Orgánica 3/2018 — LOPDGDD).

3. DESCRIPCIÓN DE LOS DATOS PERSONALES TRANSFERIDOS

Categorías de datos personales: [Data Categories]

Categorías de interesados: [Data Subject Categories]

Finalidades de la transferencia: [Transfer Purpose]

Base jurídica del tratamiento original: [Legal Basis]

Plazo de conservación en el país tercero: [Retention Period]

4. EVALUACIÓN DE IMPACTO DE LA TRANSFERENCIA (TRANSFER IMPACT ASSESSMENT)

De conformidad con la sentencia Schrems II del TJUE (Asunto C-311/18, de 16 de julio de 2020) y las Recomendaciones 01/2020 del CEPD, el exportador de datos ha realizado una Evaluación de Impacto de la Transferencia (TIA) que valora el marco jurídico de [Importer Country], incluidas las leyes de vigilancia aplicables, el control de supervisión independiente y los recursos judiciales disponibles para los interesados de la UE.

La documentación de la TIA es conservada por [Exporter Name] y está disponible para la Agencia Española de Protección de Datos (AEPD) previa solicitud. Se han implementado medidas técnicas y organizativas complementarias para subsanar cualquier deficiencia de protección identificada en la TIA.

5. MEDIDAS DE SEGURIDAD TÉCNICAS Y ORGANIZATIVAS

Medidas técnicas (Anexo II de las SCC de 2021): [Technical Measures]

Medidas organizativas: [Organisational Measures]

6. DERECHOS DE LOS INTERESADOS

El importador de datos asistirá al exportador de datos en la atención de las solicitudes de ejercicio de derechos de los interesados conforme a los artículos 15 a 22 RGPD — acceso, rectificación, supresión, limitación del tratamiento, portabilidad y oposición — dentro de los plazos establecidos por el artículo 12.3 RGPD (1 mes, ampliable a 3 meses). Los interesados también podrán presentar reclamaciones ante la Agencia Española de Protección de Datos (AEPD) en aepd.es conforme al artículo 77 RGPD.

7. NOTIFICACIÓN DE VIOLACIONES DE LA SEGURIDAD DE LOS DATOS PERSONALES

El importador de datos notificará a [Exporter Name] sin dilación indebida — y en un plazo máximo de 72 horas desde que tenga conocimiento — cualquier violación de la seguridad de los datos personales que afecte a los datos transferidos, proporcionando información suficiente para que el exportador de datos evalúe el riesgo y notifique, en su caso, a la AEPD conforme al artículo 33 RGPD y a los interesados afectados conforme al artículo 34 RGPD.

8. SUPRESIÓN Y DEVOLUCIÓN DE DATOS

Al término o vencimiento de este acuerdo o de la relación de servicios subyacente, el importador de datos, a elección del exportador de datos, suprimirá de forma segura o devolverá todos los datos personales transferidos en virtud de este acuerdo en un plazo de 30 días naturales, salvo que la legislación española o de la UE exija su conservación continuada. La supresión segura deberá documentarse y certificarse al exportador de datos.

9. LEY APLICABLE Y CUMPLIMIENTO ANTE LA AEPD

Este acuerdo se rige por la legislación española — el Reglamento (UE) 2016/679 (RGPD) y la Ley Orgánica 3/2018 (LOPDGDD). La Agencia Española de Protección de Datos (AEPD), creada conforme al artículo 44 LOPDGDD como autoridad de control competente en España conforme al artículo 51 RGPD, tiene competencia para hacer cumplir este acuerdo. Las infracciones del artículo 46 RGPD (transferencias internacionales) están sujetas a multas de hasta 20.000.000 € o el 4% de la facturación anual global total, conforme al artículo 83.5.c RGPD. El exportador de datos mantiene un Registro de Actividades de Tratamiento (artículo 30 RGPD) que documenta todas las transferencias internacionales realizadas en virtud de este acuerdo.

FIRMAS

EXPORTADOR DE DATOS:

Representado por: [Exporter Representative]

Firma: _________________________ Fecha: _________________________

IMPORTADOR DE DATOS:

Representado por: [Importer Representative]

Firma: _________________________ Fecha: _________________________

Exportador de datos / Representante legal

________________

Signature

Importador de datos / Representante legal

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a International Data Transfer Agreement Spain (Transferencia Internacional de Datos)?

An International Data Transfer Agreement Spain (Acuerdo de Transferencia Internacional de Datos Personales) is a formal legal instrument under Article 46 of the Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo (RGPD — known in Spain as the Reglamento General de Protección de Datos) and Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD), by which a Spanish data exporter (exportador de datos) — whether a data controller (responsable del tratamiento) or data processor (encargado del tratamiento) — lawfully transfers personal data of EU/EEA individuals to a recipient established in a third country (país tercero) or international organisation that does not benefit from an EU adequacy decision (decisión de adecuación) under Article 45 RGPD.

The RGPD prohibits personal data transfers to third countries outside the European Economic Area (EEA) unless one of the transfer mechanisms listed in Chapter V (Articles 44-49 RGPD) is satisfied. The principal mechanism for business-to-business international data transfers under Article 46 RGPD is the use of Standard Contractual Clauses (SCC — Cláusulas Contractuales Tipo) adopted by the European Commission — the current SCC were adopted by Commission Decision 2021/914/UE on 4 June 2021, replacing the previous 2001 and 2010 SCCs. The 2021 SCCs provide four modular sets covering: controller-to-controller transfers; controller-to-processor transfers; processor-to-controller transfers; and processor-to-processor transfers — each reflecting the specific accountability and data protection obligations of the parties under the RGPD.

The Agencia Española de Protección de Datos (AEPD) — Spain's national data protection supervisory authority (autoridad de control), designated under Article 51 RGPD and established by Article 44 of Ley Orgánica 3/2018 — supervises compliance with international data transfer rules in Spain. The AEPD has issued specific guidance on international data transfers in its Guía sobre transferencias internacionales de datos (published on aepd.es) and participates in the European Data Protection Board (EDPB) guidance framework, including the EDPB Recommendations 01/2020 on measures that supplement transfer tools and 02/2020 on the Essential Guarantees for surveillance measures.

Following the Court of Justice of the European Union (CJEU) Schrems II judgment (Case C-311/18, 16 July 2020), data exporters must conduct a Transfer Impact Assessment (TIA — Evaluación de Impacto de la Transferencia) before implementing SCC-based transfers to certain countries — particularly the United States — to verify that the legal system of the third country provides a level of personal data protection essentially equivalent to that of the RGPD and the EU Charter of Fundamental Rights. Where the TIA reveals gaps, supplementary technical or organisational measures (medidas suplementarias técnicas u organizativas) must be implemented — such as end-to-end encryption, pseudonymisation, or contractual prohibitions on access by government authorities.

Alternative transfer mechanisms under Article 46 RGPD include Binding Corporate Rules (BCR — Normas Corporativas Vinculantes) for intra-group transfers — approved by the competent supervisory authority (lead authority determined by the company's EU establishment under the one-stop-shop mechanism of Article 56 RGPD); approved Codes of Conduct (Códigos de Conducta) under Article 46.2(e) RGPD; and approved Certification Mechanisms (Mecanismos de Certificación) under Article 46.2(f) RGPD. The EU-U.S. Data Privacy Framework (DPF — adopted by Commission Decision of 10 July 2023) reinstated an adequacy mechanism for transfers to DPF-certified US companies, replacing the invalidated Privacy Shield — Spanish companies transferring data to US recipients should verify DPF certification through the DPF list maintained by the U.S. Department of Commerce.

When Do You Need a International Data Transfer Agreement Spain (Transferencia Internacional de Datos)?

An International Data Transfer Agreement Spain is required whenever a Spanish company (responsable del tratamiento) or a Spanish data processor (encargado del tratamiento) transfers personal data of EU residents to a recipient in a country outside the EEA that does not benefit from an EU adequacy decision under Article 45 RGPD.

The agreement is needed when a Spanish company uses cloud computing services, SaaS platforms, CRM systems, HR software, or any IT service provided by a company established in a non-EEA country — such as the United States, India, or Brazil — where the cloud provider processes personal data on behalf of the Spanish company. Standard Contractual Clauses (Module 2: controller-to-processor) must be incorporated into the service agreement.

An International Data Transfer Agreement is required when a Spanish subsidiary or branch of a multinational group transfers employee personal data (nóminas, datos de RRHH, datos de beneficios) to a parent company or shared services centre established outside the EEA — in this case, Binding Corporate Rules (BCR) or Module 1 SCCs (controller-to-controller) are the applicable mechanisms.

The agreement is needed when a Spanish e-commerce company, financial institution, or healthcare provider transfers customer personal data to a third-country partner — for analytics, fraud prevention, customer support, or research — where the third-country partner acts as a data controller in its own right (Module 1 SCCs) or as a processor on behalf of the Spanish company (Module 2 SCCs).

An Acuerdo de Transferencia Internacional de Datos is required when a Spanish company's employees work internationally and access company systems from non-EEA countries — particularly where personal data about other employees, customers, or suppliers is regularly accessed from non-EEA locations, constituting a cross-border transfer requiring legal basis under Chapter V RGPD.

The agreement is needed when a Spanish legal entity undergoes a merger, acquisition, or joint venture involving a third-country entity — due diligence and post-acquisition data integration typically require extensive personal data sharing with non-EEA parties, necessitating appropriate transfer mechanisms approved by the AEPD.

Parties in Spain should prepare a International Data Transfer Agreement Spain (Transferencia Internacional de Datos) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Ley de Sociedades de Capital (LSC) RDL 1/2010, the Registro Mercantil maintains the register of Spanish companies. The Código de Comercio 1885 governs commercial obligations. The Agencia Estatal de Administración Tributaria (AEAT) administers Impuesto sobre Sociedades (IS) under Ley 27/2014. The Comisión Nacional de los Mercados y la Competencia (CNMC) enforces competition law. The Código Civil governs general contractual obligations under Article 1255. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your International Data Transfer Agreement Spain (Transferencia Internacional de Datos)

A valid International Data Transfer Agreement Spain compliant with RGPD Article 46, the 2021 Standard Contractual Clauses (Commission Decision 2021/914/UE), and AEPD guidelines must contain the following essential elements.

Identification of Data Exporter and Data Importer: Full legal name, NIF/CIF (for Spanish entities), registered address, and the name, title, and contact details of the data protection representative (Delegado de Protección de Datos — DPD, if appointed under Article 37 RGPD) of both the data exporter and the data importer. The applicable SCC module must be specified — Module 1 (C2C), Module 2 (C2P), Module 3 (P2C), or Module 4 (P2P) — based on the roles of the parties.

Description of Personal Data Transferred: A precise description of the categories of personal data (categorías de datos personales) being transferred — basic identification data (nombre, DNI, dirección), contact data (email, teléfono), financial data (IBAN, datos de nómina), health data (datos de salud — special category under Article 9 RGPD), or other sensitive data. Special category data transfers require an explicit derogation under Article 49.1 RGPD or additional safeguards beyond the standard SCC.

Categories of Data Subjects: Identification of the categories of individuals (interesados) whose data is transferred — employees (empleados), customers (clientes), suppliers (proveedores), website visitors (usuarios de la web), or other identified groups. The estimated number of data subjects should be stated.

Purposes and Legal Basis: The specific purposes (finalidades) for which the data is transferred and processed in the third country — HR management, customer support, analytics, research — and the legal basis (base jurídica) for the original processing under Article 6 RGPD (performance of contract, legal obligation, legitimate interests, or consent). The transfer must be consistent with the original lawful purpose for which the data was collected.

Transfer Impact Assessment (TIA): An annex documenting the Transfer Impact Assessment (Evaluación de Impacto de la Transferencia) conducted by the data exporter — assessing the legal and practical framework of the destination country, including: the existence of laws granting public authorities access to personal data (surveillance laws); the essential guarantees applicable (independent supervisory authority, judicial remedy, proportionality); and any supplementary technical measures implemented (encryption, pseudonymisation, data minimisation) to address gaps in protection. The TIA is mandatory for transfers to countries where government surveillance presents a risk to the data (EDPB Recommendations 01/2020).

Technical and Organisational Security Measures: A description of the specific technical (cifrado en tránsito y en reposo, seudonimización, control de accesos, autenticación multifactor) and organisational (políticas de seguridad, formación del personal, control de proveedores) measures implemented by both exporter and importer under Article 32 RGPD and Annex II of the 2021 SCCs.

Data Subject Rights: A clause establishing the mechanism through which data subjects (interesados) may exercise their rights under Articles 15 to 22 RGPD — access (acceso), rectification (rectificación), erasure (supresión), restriction (limitación), portability (portabilidad), and objection (oposición) — including the contact details of the data protection representative in Spain, the timeline for responding (1 month, extendable to 3 under Article 12.3 RGPD), and the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos — aepd.es) under Article 77 RGPD.

Data Retention and Deletion: The agreed retention period (plazo de conservación) for personal data in the third country, consistent with the retention periods established in the Spanish data exporter's Registro de Actividades de Tratamiento (Article 30 RGPD), and the procedure for secure deletion or return of data upon expiry of the transfer agreement or termination of the underlying contract.

Sub-processors and Onward Transfers: Where the data importer may engage sub-processors (subencargados) or make onward transfers of the personal data to further third countries, the agreement must specify the authorisation process — general written authorisation (autorización general por escrito) or specific prior authorisation (autorización previa específica) — and the requirement that sub-processors provide equivalent data protection guarantees under Article 28 RGPD.

AEPD Registration and Compliance: A clause acknowledging that the data exporter must maintain a Registro de Actividades de Tratamiento (Article 30 RGPD) documenting all international data transfers, and that any personal data breach (brecha de seguridad) affecting transferred data must be notified to the AEPD within 72 hours under Article 33 RGPD and to affected data subjects where required under Article 34 RGPD.

Forms-legal.com provides this International Data Transfer Agreement Spain template as a practical reference. Given the complexity of RGPD Chapter V requirements, Schrems II TIA obligations, and AEPD enforcement practice (with fines up to €20 million or 4% of global annual turnover under Article 83 RGPD), Spanish companies engaging in international data transfers should obtain specialist advice from a qualified abogado especialista en protección de datos or DPO (Delegado de Protección de Datos) certified under AEPD guidelines.

Cite this page

CC BY 4.0 · free to cite

Reference this free template in an article, syllabus, or research note:

APA
Forms Legal. (2026). International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain) [Legal document template]. Forms Legal. https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain
MLA
"International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain)." Forms Legal, 2026, https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain.
Chicago
Forms Legal. "International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain)." Forms Legal, 2026. https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain.
BibTeX
@misc{formslegal-international-data-transfer-agreement-spain,
  author       = {{Forms Legal}},
  title        = {International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain}},
  note         = {Free legal document template}
}
Wikipedia
{{cite web |title=International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain) |website=Forms Legal |publisher=Forms Legal |date=2026 |url=https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain}}
RIS
TY  - ELEC
T1  - International Data Transfer Agreement Spain (Transferencia Internacional de Datos) (Spain)
T2  - Forms Legal
PB  - Forms Legal
PY  - 2026
UR  - https://forms-legal.com/espana/business/policies/international-data-transfer-agreement-spain
ER  - 
Forms LegalUpdated 2026-06-06.bib.ris

Frequently Asked Questions

Statute-referenced template — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know