Skip to content
Guidance · EDPB ·152026-on-the-europrivacy-certification-criteria EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 15/2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal to be used as tool for transfers pursuant to Articles 42 and 46 GDPR

Summary

Opinion 15 / 2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal to be used as tool for transfers pursuant to Articles 42 and 46 GDPR Adopted on 15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board Having regard to Article 63, Article 64(2), Article 42 and Article 46 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to…

How it connects

Full text 56 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶0

46 GDPR Adopted on 15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board Having regard to Article 63, Article 64(2), Article 42 and Article 46 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the European Economic Area (hereinafter “EEA”) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Articles 10 and 22 of its Rules of Procedure.

¶1

Member States, supervisory authorities, the European Data Protection Board (hereinafter “the EDPB or the Board”) and the European Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms (herei nafter “certification mechanisms”) and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors, taking into account the specific needs of micro, small and medium - s ized enterprises 2 . In addition, the establishment of certification mechanisms can enhance transparency and allow data subjects to assess the level of data protection of relevant products and services 3 .

¶2

In addition to adherence by controllers or processors subject to the GDPR, data protection certification mechanisms, seals or marks approved pursuant to Article 42(5) GDPR may be established for the purpose of demonstrating the existence of appropriate saf eguards provided by controllers or processors that are not subject to the GDPR pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations (hereinafter ‘data importers’) under the terms referred t o in of Article 46(2)(f) GDPR 4 .

¶3

The certification to be used as a tool for transfers is a new transfer mechanism introduced by Article 46 GDPR to ensure that, in the absence of a decision pursuant to Article 45(3) GDPR, a controller or processor under the GDPR (hereinafter ‘EEA data expo rter’) may transfer personal data to a third country or an international organisation only if appropriate safeguards are provided and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In particu lar, according to Article 46(2)(f) GDPR, a certification mechanism approved pursuant to Article 42 GDPR may provide for these appropriate safeguards if it is accompanied by binding and enforceable commitments of the data importers to apply the appropriate safeguards, including as regards data subjects' rights. The criteria of certification form an integral part of a certification mechanism. Consequently, the GDPR requires the approval of the criteria of a national certification mechanism by the competent su pervisory authority (Articles 42(5) and 43(2)(b) GDPR), or in the case of a European Data Protection Seal, by the EDPB (Articles 42(5) and 70(1)( o) GDPR).

¶4

When a supervisory authority (hereinafter “SA”) intends to propose the approval by the EDPB of a European data protection seal pursuant to Article 42(5) GDPR, the SA should state the intention of the scheme owner to offer the certification mechanism in all Member States. In this case, the main role of the EDPB is to ensure the consistent application of the GDPR, 1 References to “Member States” made throughout this Opinion should be understood as references to “EEA Member States”. 2 Article 42(1) GDPR. 3 Recital 100 GDPR. 4 See Article 42(2) GDPR. 3 | Adopted through the consistency mechanism referred to in Articles 63, 64 and 65 GDPR. In this framework, according to Article 64(2) GDPR, the EDPB is approving the criteria of certification.

¶5

A European Data Protection Seal approved pursuant to Article 42(5) GDPR established for the purpose of demonstrating the existence of appropriate safeguards provided by data importers, together with binding and enforceable commitments, serves as a tool to cover data transfers from all EEA Member States to third countries or international organisations 5 .

¶6

When evaluating a certification mechanism to be used as a tool for transfers, the EDPB assessment is carried out on the basis of the “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Reg ulation” (hereinafter the “Guidelines”) and their Addendum providing “Guidance on certification criteria assessment” (hereinafter the “Addendum”), as well as on the “Guidelines 07/2022 on certification as tool for transfers” (hereinafter “Guidelines on cer tification as tool for transfers”).

¶7

The EDPB acknowledges that each certification mechanism should be addressed individually and is without prejudice to the assessment of any other certification mechanism.

¶8

Certification mechanisms to be used as a tool for transfers should enable data importers to demonstrate the existence of appropriate safeguards in order to ensure that the level of protection of natural persons guaranteed by the GDPR will not be undermined when transferred personal data will be processed outside the EEA 6 . Therefore, its criteria should properly reflect the requirements and principles concerning the protection of personal data laid down in the GDPR so as to ensure that the protection afforded by the GDPR will travel with the personal data 7 .

¶9

At the same time, scheme owner should ensure the alignment and conformity of the certification mechanism with any included or leveraged ISO standards and certification practices.

¶10

As a result, certifications should add value to data importers by helping to implement standardized and specified organizational and technical measures to demonstrate that appropriate safeguards are in place when processing personal data received by EEA da ta exporters. In this perspective, the EDPB recalls that the object of the certification – which coincides with the Target of Evaluation (ToE) during certification – should generally be the processing of the data transferred to the data importer in the thi rd country and the transit, if this is under the control of the same importer 8 .

¶11

Certifications will also be of added value for the data exporter who might decide to rely on the certification obtained by a data importer as a tool for transferring personal data according to Article 46(2)(f) GDPR and as an element to demonstrate complian ce with obligations e.g. according to Article 24(3) or Article 28(5) GDPR 9 .

¶12

In this regard, the EDPB recalls that the data exporter who wants to use a certification as appropriate safeguard according to Article 46(2)(f) GDPR is obliged to verify whether the certification it intends to rely on is effective in light of the character istics of the intended processing. To that end, the data exporter must check the issued certification in order to verify if the certificate is valid and not expired, if it covers the specific transfer to be carried out and 5 EDPB Guidelines 07/2022 on certification as tool for transfers, Version 2.0, adopted on 14 February 2023, paragraph 30. 6 Article 44 GDPR. 7 See European Commission, Communication to the European Parliament and the Council ‘ Exchanging and Protecting Personal Data in a Globalised World ’, COM/2017/07 final, page 4. 8 See EDPB Guidelines 07/2022 on certification as tool for transfers, Version 2.0, adopted on 14 February 2023, paragraph 16. 9 Guidelines 7/2022 on certification as tool for transfers, paragraph 5. 4 | Adopted whether the transit of personal data is in the scope of certification, as well as if onward transfers are involved and an adequate documentation is provided on them 10 .

¶13

Additionally, the data exporter has to check that the certification body issuing the certification is accredited by a national accreditation body or a competent supervisory authority. Moreover, the data exporter should refer to using the certification as a tool for transfer in the data processing contract pursuant to Article 28 GDPR in case of transfers from controller to processor or a data - sharing contract with the data importer in case of transfers from controller to controller 11 . It has also to comply with the specific obligations envisaged by Article 13(1)(f) GDPR, in particular informing the data subject of the appropriate safeguards used, i.e., in case of certification under Article 46(2)(f) GDPR, the certificate received by the importer according to a specific certification mechanism and the means by which to obtain a copy of the certificate and of the safeguards contained in the certification criteria or where they have been made available.

¶14

The EDPB welcomes the efforts made by scheme owners to elaborate certification mechanisms, which are practical and potentially cost - effective tools to ensure greater consistency with the GDPR and foster the right to privacy and data protection of data subj ects by increasing transparency.

¶15

The EDPB recalls that certifications are voluntary accountability tools, and that the adherence to a certification mechanism does not prevent supervisory authorities from exercising their tasks and powers pursuant to the GDPR and the relevant national laws . This, in the context of certifications to be used as tool for transfers, also with specific regard to the respect of the obligations taken as binding and enforceable commitments by the data importers vis - à - vis the data exporters, via contractual or other legally binding instruments, to apply the appropriate safeguards provided by the certification mechanism including with regard to the rights of data subjects.

¶16

This Opinion aims to ensure the consistent application of the GDPR, including by the SAs, controllers and processors in the light of the core elements which certification mechanisms are required to establish. In particular, this Opinion aims at assessing t he certification criteria intended to be used as tool for transfers by data importers. Therefore, in it, the EDPB addresses issues, such as the scope, the applicability and relevance of the criteria in case of transfers taking place from all EEA Member Sta tes and/or from any data exporters under the scope of application of the GDPR.

¶17

The Opinion of the EDPB focuses solely on the certification criteria. The EDPB may require high level information on the evaluation methods in order to be able to thoroughly assess the auditability of the criteria in the context of its Opinion thereof. How ever, this does not encompass any kind of approval of such evaluation methods.

¶18

The Opinion of the EDPB shall be adopted, pursuant to Article 64(2) GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure, within eight weeks from the first working day after the Chair and the competent supervisory authority have decided th at the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. If the opinion of the EDPB concludes that the criteria cannot be approved at stake, the SA may resubmit the criteria for approval when the concerns expressed in the initial EDPB Opinion are addressed. Has adopted the following Opinion : 10 Guidelines 7/2022 on certification as tool for transfers , paragraph 20. 11 Ibid. 5 | Adopted 1 Summary of the facts

¶19

In accordance with Articles 42(2) and 46(2)(f) GDPR, the Guidelines 1/2018 and the Guidelines 7/2022 on the certification as tool for transfers, the Europrivacy version 82, (hereinafter “certification criteria”) has been drafted by the European Center for Certification and Privacy (hereinafter the “scheme owner”).

¶20

The EDPB recalls that it had already approved the Europrivacy certification criteria (version 60) on 10 October 2022, by issuing the EDPB Opinion 28/2022 as European Data Protection Seal pursuant to Article 42(5) GDPR meant to demonstrate compliance with t he GDPR according to Article 42(1) GDPR. Such a scheme was not a certification under Article 46(2)(f) GDPR meant for data transfers.

¶21

On 29 January 2026, the Supervisory Authority of Luxembourg (hereinafter the “LU SA”) has submitted to the EDPB an updated version of the already approved Europrivacy EU Data Protection Seal certification criteria with an extended scope including in partic ular applicants subject to Article 3(2) GDPR, as well as other amendments concerning the core certification criteria (version 82). The EDPB has adopted Opinion 14 /2026 on this updated version (version 82) of the Europrivacy certification criteria intended to demonstrate compliance with the GDPR pursuant to Article 42(5).

¶22

On the same date, the LU SA has also submitted to the EDPB an additional set of certification criteria (“The Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46”) intended to be used as tool for transfers pursuant to A rticle 46(2)(f) GDPR for approval pursuant to Article 64(2) GDPR.

¶23

The decision on the completeness of this file was taken on 31 March 2026. 2 Assessment

¶24

The EDPB has conducted its assessment of the certification criteria intended to be used as tool for transfers by data importers for their approval under Article 42(5) in conjunction with Article 46(2)(f) GDPR in line with the structure foreseen in Annex 2 to the Guidelines 1/2018 (hereinafter “Annex”), its Addendum and the Guidelines on certification as tool for transfers 12 .

¶25

The Board highlights that, in line with the conditions set forth in Articles 42(2) and 46(2)(f) GDPR, the current scheme is intended to be used as a tool for transfer and the certifications issued according to the scheme could therefore be relied upon by d ata exporters in the meaning of Chapter V GDPR (i.e. by controller or processors subject to the GDPR for the given processing 13 ) to transfer personal data to certified data importers not subject to the GDPR pursuant to Article 3 14 . This means that transfers of personal data to the data importer in the third country can only take place after that the same importer has been certified and has signed binding and enforceable commitments vis - à - vis the EEA data exporter to apply the appro priate safeguards envisaged in the certification criteria when processing the transferred personal data in the scope of the ToE, including as regards data subjects' rights.

¶26

In the context of this Opinion and in order to approve the Europrivacy certification criteria intended as tool for transfer, the EDPB has assessed the Application and Target of Evaluation - Preliminary Checks and Controls for Data Importers (ADI); the Euro privacy GDPR Core 12 See in particula r: Sections 3 and 4 of the Guidelines 07/2022. 13 See EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR , Version 2.0, adopted on 14 February 2023, paragraph 9. 14 Article 42(2) GDPR. 6 | Adopted Criteria for Data Importers (GI); the Technical and Organisational Measures Checks & Controls (T).

¶27

With regard to the certification process, considering the particularity of the certification to be used as a tool for transfers, the EDPB highlights a need for great transparency and welcomes the clarifications provided in this respect in the Europrivacy c ertification scheme according to which ‘transfers cannot start before the certification is delivered’. In this regard, the EDPB acknowledges that before the transfer of personal data takes place, ‘the assessment can be performed with personal data not subj ect to the GDPR or with non - personal data. Where needed, it is possible to use fake data for assessing specific criteria’ and that, once the data transfer has started, ‘the Auditor shall reassess those criteria at the following surveillance audit’ 15 .

¶28

The EDPB recalls that there may be some adjustments that need to be made in the accreditation of certification bodies with regard to a certification as a tool for transfers in line with the Guidelines on certifications as tool for transfers 16 . However, this Opinion does not address this issue as it does not pertain to the competence of the EDPB.

¶29

The EDPB also recalls the need for the certification criteria to be made available in line with Article 42(8) GDPR and, in particular, in case of certification to be used as tool for transfers, in line with Article 13(1)(f) GDPR, to data subjects whose per sonal data will be transferred on the basis of the certification provided to the data importer.

¶30

The Board notes, as clarified in the definitions of the scheme, that references to “competent data protection authorities” throughout the scheme shall have the meaning of data protection authorities in the EEA 17 .

¶31

Similarly, the Board notes that references to “applicable law” and “third country law” “refer to the law applicable to the Applicant and/or to the personal data processed in the Target of Evaluation, to the extent that such law does not impose restrictions on the data protection rights which go beyond what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23 (1) GDPR, is proportionate to the objective pursued, respects the essence of the right to dat a protection, provides for specific measures to safeguard Data Subjects' fundamental rights and interests”. 2.1 Scope of the certification mechanism and Target of Evaluation (ToE)

¶32

The Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46 is intended to be used pursuant to Articles 42(2) and 46(2)(f) GDPR by data importers located outside the EEA that are not subject to the GDPR pursuant to Article 3 with a view demonstrating the existence of appropriate safeguards within the framework of personal data transfers to third countries or international organisations. Thus, its scope differs from the one of Article 42(1) Europrivacy certification referred to in paragraph 3 of this Opinion as it provides 15 See Europrivacy ™ / ® Certification Scheme Extension for Certifying Data Importers under Article 46 GDPR, EP - CS.1.DI , , par. 6.1. 16 Guidelines 07/2022, Section 2. 17 See the definition envisaged by the Europrivacy criteria for the ‘Competent SA’: “ “Competent Data Protection Authority” refers to data protection authorities in the EEA. Overall, it refers to the national data protection authorities that have competenc e to enforce compliance of the personal data processed by the Target of Evaluation. In the case of a GDPR certification delivered to a Data Importer under Art icle 46 GDPR, the competent Data Protection Authority is the one of the Data Exporter in the EEA, except for lodging a complaint where any authority in the EEA is competent ” . 7 | Adopted specific criteria to be applied and respected when an Europrivacy certification is delivered to applicants (controllers or processors) located outside EEA intended to act as data importers.

¶33

The Europrivacy certification scheme as tool for transfers is a scheme meant to be applied on both a singular transfer but also to a set of transfers, when the latter are closely correlated. The certification scheme contains certification criteria for proc essing operations within the Target of Evaluation (ToE) performed on personal data transferred to the data importer, including the transit when it is under the control of the same importer 18 .

¶34

The EDPB takes note that the scope of this certification scheme does not cover joint controllers and that where ‘Joint Controllership is included in the ToE, then the Certification Body shall decline to deliver certification’ 19 . 2.2 Processing operations

¶35

The certification criteria address the relevant components of the processing operations for the personal data transferred under the scope of the ToE. In particular, the certification criteria envisage safeguards for the processing of special categories of personal data (section GI.2 of the criteria on “Special Data Processing”). In this regard, the Board welcomes that the certification criteria (criterion GI.2.1.3 on “Additional safeguards for processing of special categories of personal data”) also require that the applicant shall have additional restrictions and safeguards in place, adapted to the specific nature of the data and the corresponding risks, when special categories of personal data are involved in the processing. 2.3 Principles of data processing

¶36

In section GI.1, the certification criteria adequately address the data protection principles consistently with those envisaged in Article 5 GDPR with the objective to ensure that the data processing in the ToE is lawful and proportionate.

¶37

In particular, under the certification criterion GI.1.1.2, the principle of purpose limitation and the relevant obligations of the applicant in order to comply with it, are duly elaborated. The EDPB notes that transferred personal data could only be proces sed for the purposes for which they have been transferred. The certification criterion GI.1.1.3, in line with the current Standard Contractual Clauses adopted by the European Commission 20 , identifies the only exemptions under which data can be further processed for other purposes than the ones for which they were initially collected (i.e. prior informed consent, legal obligation, vital interests of the data subjects and legal claims).

¶38

The EDPB also notes that the applicant is required to provide a written assessment in order to ensure that the law and practice in the third country do not prevent the applicant from complying with the Europrivacy criteria, respect the essence of the funda mental rights and freedoms of the Data Subjects, do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23 ( 1 ) GDPR. The certified entity has to review the assessment w henever regulator y or organisational changes may hinder the compliance with the criteria or affect the T oE or the Data Subjects' rights and the Certification Body should be informed (criterion GI 1.1.1). 18 Se e certification criteria GI.11.1.5 and GI.11.1.6 19 Europrivacy ™ / ® Certification Scheme Extension for Certifying Data Importers under Article 46 GDPR, EP - CS.1.DI , par. 3.2.2. where it is also clearly stated that “joint controllership is excluded from the scope of the scheme for applicants under Arti cle 46”. 20 Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council . 8 | Adopted 2.4 General obligations of controllers and processors

¶39

The certification criteria reflect the obligations of the controller pursuant to Article 24 GDPR (Section GI.4. of the criteria) and require the evaluation of processor - controller contractual agreements in accordance with Article 28 GDPR (Section GI.5 of t he certification criteria on “Data Processors or sub - processors”) with the objective to ensure that the data processors participating in the data processing of the ToE ensure the same level of data protection, as the one required by the Europrivacy criteri a. In this regard, the EDPB welcomes the different certification criteria related to engagement of sub - processors for applicants acting as controllers or as processors as this distinction allows to better reflect the separation of roles and responsibilitie s among the actors in the processing chain (Section GI.5.1).

¶40

The certification criteria require all applicants to appoint a Data Protection Officer (DPO) even in the case where the applicant is not required to designate a DPO according to Article 37 GDPR. The certification criteria check that the DPO meets the same requirements as the ones envisaged in Articles 37 to 39 (Section GI.9 of the certification criteria on the “designation of the data protection officer”) in order to ensure that the role, function and qualification of the data protection officer that overse es the compliance of the data processing in the ToE meets the “necessary requirements”. In this regard, the Board notes that the appointment of the DPO is not a mandatory obligation for controllers and processors under the GDPR unless the conditions provid ed under Article 37(1) GDPR are met.

¶41

The certification criteria require to check the content of the records of processing of activities consistent with Article 30 GDPR (section GI.5.3 of the criteria on “Records of processing activities”). In this regard, the Board welcomes that the certifica tion criteria clearly require that the applicants shall cooperate with requests made by the Data Protection Authorities in the EEA which are competent for the exporters and make available to them, upon request, the record of processing activities (criterio n GI.5.3.5). 2.5 Rights of the data subjects

¶42

The certification criteria address data subject’s rights consistently with Chapter III GDPR and require respective measures to be put in place with the objective of ensuring that the processing in the ToE respects and enables the effective exercise of data subjects’ rights. Section GI.3 of the certification criteria relating to “Transparent information, communication and modalities for exercising the rights of the data subject” envisages, among the other safeguards, that data subjects have the right to be i nformed on the data processing and on how they can exercise their rights. The EDPB welcomes, in particular, that the certification criteria envisage that the applicant shall have procedures or a mechanism in place to deal with data subjects’ requests and i n case of non - action on the request of the data subjects, inform them about the reasons for not taking action, the right to lodge a complaint with an EEA Data Protection Authority and of seeking a judicial remedy. 2.6 Technical and organisational measures and assessment of the risks for the rights and freedom of data subjects

¶43

The certification criteria require the application of technical and organisational measures which demonstrate a level of security appropriate to the risk of processing and implement data protection by design and by default consistently with Articles 25 and 32 GDPR (section GI.6 of the certification criteria on “data protection by design and default, and security of processing”) with the aim to ensure that the data processed in the ToE benefit from the 9 | Adopted adequate security as well as data protection by design and by default. In addition, the certification criteria include a section (i.e. criteria T on technological and organisational measures, checks and controls), where technical and organisational measure s are thoroughly addressed.

¶44

The certification criteria require the application of measure to ensure that personal data breach notification duties are carried out in due time and scope consistent with Articles 33 and 34 GDPR (section GI.7 of the certification criteria on “management o f data breaches”).

¶45

In this regard, the Board notes that the certification criteria include a detailed list (criterion GI.7.1.1. “Duty to document data breaches”) as to the information that the applicant must document where a data breach occurs (e.g. the categories of persona l data that are or may be affected, the approximate number of data subjects that are or may be affected; the categories and approximate number of personal data records it concerns or may concern, the likely consequences of the personal data breach). In add ition, the EDPB welcomes that the certification criteria clearly envisage that, when the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the applicant shall have rules, a procedure or a mechanism in place t o inform the Data Protection Authority in the EEA competent for the exporter(s) and the data subjects consistently with the requirements in Articles 33 and 34 GDPR (criterion GI.7.1.2 “Duty of the Controller to notify and communicate data breaches” and GI 7.2 “Communication of a personal data breach to the data subject”).

¶46

The EDPB also welcomes that the certification criteria require assessing the risk to the rights and freedoms of natural persons of the data processing covered by the ToE, envisaging the involvement of the Data Protection Authority in the EEA competent for the exporter(s) consistently with Article 35 GDPR (Section GI.8. of the certification criteria on “Duty to assess if Data Protection Impact Assessment (DPIA) is required”). 2.7 Criteria for the purpose of demonstrating the existence of appropriate safeguards for transfer of personal data

¶47

The certification criteria require identifying all personal data transfers to third countries and to international organizations involved in the ToE and substantiating the choice made regarding the data transfer mechanism providing for appropriate safeguar ds consistent with those envisaged in Chapter V GDPR (section GI.10 of the criteria on “Transfers of personal data to third countries or international organisations”). The EDPB acknowledges that these certification criteria will be applied in case of ‘onwa rd transfers’ of personal data involved in the ToE to the same third country where the applicant is located or to a different third country. The Board welcomes that these certification criteria specifically require that the applicant shall have a clear map ping or record of all personal data flows in scope of the ToE and identified transfers to third countries and to international organisations and adopt the appropriate ground for transfer of personal data in line with those envisaged in Chapter V GDPR, taki ng into account the obligation not to undermine the level of protection of the personal data as provided within the EEA.

¶48

The EDPB also notes that the certification criteria require that the applicant shall have performed a Transfer Impact Assessment and, where necessary, adopted supplementary measures to ensure that the level of protection of the transferred data is not unde rmined (criterion GI.10.1.5). 10 | Adopted 3 Additional C riteria f or a E uropean D ata P rotection S eal to be used as tool for transfers

¶49

According to the Guidelines on the certification as tool for transfers, the certification scheme should ensure that the data importer “have assessed the rules and practices of the third country where it operates or whether they prevent the data importer fr om complying with its commitments under the certification”. In this regard, the Board notes that criterion ADI.2.1.5 defines conditions for applicants to be met when defining the ToE during the review of their application to certification. In particular, b efore considering a certification audit, it requires the certification body to check that the applicant is able to demonstrate that “the third - country laws and practice does not hinder compliance with the certification requirements”. If this is not the cas e, the certification process will stop during the application phase.

¶50

The Board also notes that, under criterion GI.11.1.3, the applicant should analyse the laws and practices in the third country and identify the potential impact on the rights and freedoms of the data subject whose data may be imported and have “rules, proc edures or policies to make its written analysis of the local laws and practices available to the Certification Body and to competent Data Protection Authorities on request”.

¶51

In addition, as per the Guidelines on certification as tool for transfers, the certification criteria provide that, where necessary, the applicant shall have adopted supplementary measures to ensure that the level of protection of the transferred personal data is not undermined and that, where this is not possible, the data importer has to inform the data exporter and the transfer of personal data should be suspended or stopped (criterion GI 11.1.3).

¶52

Moreover, the Board notes that the Europrivacy scheme, in line with Article 42(2) GDPR, envisages that a contract between the data importer and the data exporter including the relevant binding and enforceable commitments should be signed before any transfe r takes place and provides for a template of such a contract. In this respect, the EDPB takes note that, in line with the Guidelines on certification as tool for transfers, the certification criteria include a detailed list of the content of the binding an d enforcement commitments that should be taken by the applicant vis - à - vis each exporter in the EEA, among which the obligation to recognize the right for the data subjects as third - party beneficiaries to enforce, against the data importer holding a certifi cation, the rules under the certification, to cooperate with the Data Protection Authorities in the EEA competent for the Data Exporters (including by accepting their audits and inspections, taking into account their advice, and abiding by their decision s), to abide by any binding decision issued in EEA Member States' jurisdiction and courts related to the certification, to only process the received data while the certificate is valid, to return and/or delete the received data if the certificate is withdr awn. The certification criteria also envisage that the applicant should warrant that it has no reason to believe the laws and practices in the third country applicable to the processing in the ToE, including any requirements to disclose personal data or me asures authorizing access by public authorities prevent it from fulfilling its commitments under the Certification and to inform the Data Exporter of any relevant changes in the legislation or practice in this regard (criterion GI.11.1.1 on ‘Binding and En forceable Commitments for Data Importers”). 4 Conclusions / Recommendations

¶53

By way of conclusion, the EDPB considers that the Europrivacy certification criteria intended to be used as tool for transfers are consistent with the GDPR and approves them pursuant to 11 | Adopted the task of the Board defined in Article 70(1)(o) GDPR, resulting in a common certification (European Data Protection Seal) to be used as tool for transfers.

¶54

The EDPB considers the certification criteria to form an integral part of the certification scheme and will register the Europrivacy certification scheme in the public register of certification mechanisms and data protection seals and marks and make the cr iteria publicly available pursuant to Article 42(8) GDPR. 5 Final remarks

¶55

This Opinion is addressed to the LU SA and will be made public pursuant to Article 64(5)(b) GDPR. For the European Data Protection Board The Chair Anu Talus

Similar Content