Skip to content
Guidance · EDPB ·142026-on-the-europrivacy-certification-criteria EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 14/2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 GDPR

Summary

Opinion 14 / 2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 GDPR Adopted on 15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board Having regard to Article 63, Article 64 (2) and Article 42 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free…

How it connects

Full text 56 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶0

15 April 2026 1 | Adopted 2 | Adopted The European Data Protection Board Having regard to Article 63, Article 64 (2) and Article 42 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the European Economic Area (hereinafter “EEA”) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article 10 and Article 22 of its Rules of Procedure , Whereas:

¶1

Member States, supervisory authorities, the European Data Protection Board (hereinafter “the EDPB or the Board”) and the European Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms(hereinafter “certification mechanisms”) and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR of processing operations by controllers and processors, taking into account the specific needs of micro, small and medium - s ized enterprises. In addition, the establishment of certification mechanisms can enhance transparency and allow data subjects to assess the level of data protection of relevant products and services.

¶2

The criteria of certification form an integral part of a certification mechanism. Consequently, the GDPR requires the approval of the criteria of a national certification mechanism by the competent supervisory authority (Articles 42(5) and 43(2)(b) GDPR), or in the case of a European Data Protection Seal, by the EDPB (Articles 42(5) and 70(1)(o) GDPR).

¶3

When a supervisory authority (hereinafter “SA”) intends to propose the approval by the EDPB of a European data protection seal pursuant to article 42(5) GDPR, the SA should state the intention of the scheme owner to offer the certification mechanism in all Member States. In this case, the main role of the EDPB is to ensure the consistent application of the GDPR, through the consistency mechanism referred to in Articles 63, 64 and 65 GDPR. In this framework, according to Article 64(2) GDPR, the EDPB is appro ving the criteria of certification.

¶4

This Opinion aims to ensure the consistent application of the GDPR, including by the SAs, controllers and processors in the light of the core elements, which certification mechanisms are required to establish. In particular, the EDPB assessment is carried out on the basis “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation” (hereinafter the “Guidelines”) and their Addendum providing “Guidance on certification criteria assessment” (hereinafter the “Addendum”), for which the public consultation period expired on 26 May 2021.

¶5

Accordingly, the EDPB acknowledges that each certification mechanism should be addressed individually and is without prejudice to the assessment of any other certification mechanism.

¶6

Certification mechanisms should enable controllers and processors to demonstrate compliance with the GDPR. Therefore, its criteria should properly reflect the requirements and principles concerning the protection of personal data laid down in the GDPR and contribute to its consistent application. 1 References to “Member States” made throughout this document should be understood as references to “EEA Member States”. 3 | Adopted

¶7

At the same time, scheme owner should ensure the alignment and conformity of the certification mechanism with any included or leveraged ISO standards and certification practices.

¶8

As a result, certifications should add value to controllers and processors by helping to implement standardized and specified organizational and technical measures that demonstrably facilitate and enhance processing operation compliance to the GDPR, taking account of sector - specific requirements.

¶9

The EDPB welcomes the efforts made by scheme owners to elaborate certification mechanisms, which are practical and potentially cost - effective tools to ensure greater consistency with the GDPR and foster the right to privacy and data protection of data subj ects by increasing transparency.

¶10

The EDPB recalls that certifications are voluntary accountability tools, and that the adherence to a certification mechanism does not reduce the responsibility of controllers or processors for compliance with the GDPR or prevent supervisory authorities fro m exercising their tasks and powers pursuant to the GDPR and the relevant national laws.

¶11

In this Opinion, the EDPB addresses issues, such as the scope of the criteria, the applicability and relevance of the criteria in all Member States.

¶12

This Opinion of the EDPB focuses solely on the certification criteria. The EDPB may require high level information on the evaluation methods in order to be able to thoroughly assess the auditability of the criteria in the context of its Opinion thereof. Ho wever, this does not encompass any kind of approval of such evaluation methods.

¶13

The Opinion of the EDPB shall be adopted, pursuant to Article 64(2) of GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure, within eight weeks from the first working day after the Chair and the competent supervisory authority have decided that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. If the opinion of the EDPB concludes that the criteria cannot be approved at stake, the SA may resubmit the criteria for approval when the concerns expressed in the initial EDPB Opinion are addressed. Has adopted the following Opinion : 1 Summary of Facts

¶14

In accordance with Article 42(5) GDPR and the Guidelines, the Europrivacy certification criteria (version 82 (hereinafter the “certification criteria”) was drafted by European Center for Certification and Privacy (hereinafter the “scheme owner”).

¶15

The Supervisory Authority of Luxembourg (hereinafter the “LU SA”) has submitted the Europrivacy certification criteria (version 82) to the EDPB for approval pursuant to Article 64(2) GDPR on 29 January 2026.

¶16

The decision on the completeness of the file was taken on 31 March 2026.

¶17

The EDPB recalls that it approved the Europrivacy certification criteria (version 60) on 10 October 2022, by issuing the EDPB Opinion 28/2022 as European Data Protection Seal pursuant to Article 42(5) GDPR (“Previous EDPB Opinion”). 4 | Adopted

¶18

The present Opinion addresses the amended version of the Europrivacy certification criteria (version 82). First of all, the Board notes that in this version of the certification criteria, currently submitted to the EDPB, the scope has been extended to incl ude applicants subject to Article 3(2) GDPR and, in this regard, a criterion on potential conflict of third country law has been introduced. Moreover, the Board notes that some of the certification criteria approved by the EDPB in 2022 have been adjusted, refined and/or clarified in the amended version of the Europrivacy certification criteria (version 82). These amendments concern, in particular: the designation of a representative in the EEA and the cooperation with requests made by the competent DPAs in the EEA; the National Obligations Compliance Assessment Report (“NOCAR”), the further processing, the safeguards accompanying the processing of special categories of personal data, the data subject rights, the engagement of sub - processors, the handling of data breaches, the risk assessment for the data processing, and the security policy and requirements.

¶19

The EDPB underlines that the amendment of the certification criteria already approved in 2022 will affect the certifications issued so far as well as the ongoing certification processes. Therefore, a transition period between the European Data Protection S eals delivered according to the certification criteria approved with the Previous EDPB Opinion (version 60), and the ones issued according to the certification criteria (version 82), assessed in the present Opinion, should be managed appropriately and tran sparently. In this regard, the Board understands, based on the documentation provided by the scheme owner, that all ongoing certification processes must be finalised by the end of 2026 and after that point in time the certification criteria approved with t he Previous EDPB Opinion (version 60) will no longer be used to issue new certificates. The certificates issued so far will remain valid until the end of their three - years period of validity, and they will be renewed according to the certification criteri a (version 82). Therefore, after the end of 2029, the certification criteria approved with the Previous EDPB Opinion (version 60) will be fully superseded by the certification criteria (version 82). In addition, the information regarding this transition pl an will be made publicly available by the scheme owner. There may some adjustments that need to be made in the accreditation of the certification bodies, but this Opinion does not address this issue as it does not pertain to the competence of the EDPB.

¶20

The general Europrivacy certification scheme is not intended to be used as tool for transfers pursuant to Article 42(2) and 46(f) GDPR. On 29 January 2026, the LU SA has also submitted to the EDPB, for approval pursuant to Article 64(2) GDPR, an additional set of certification criteria (“The Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46”) whose scope covers controllers and processors located outside of the EEA that are not directly subject to the GDPR according to Article 3(2) GDPR, but are processing personal data received from another data controller or processor subject to the GDPR. On this set of certification criteria intended to be used as tool for transfers pursuant to Article 46(2)(f) GDPR, the EDPB has ado pted the Opinion 15 /2026 . 2 Assessment

¶21

The EDPB has conducted its assessment of the certification criteria for their approval under Articles 42(5) GDPR in line with the structure foreseen in Annex 2 to the Guidelines (hereinafter “Annex”) and its Addendum. 5 | Adopted

¶22

In the context of this Opinion and in order to approve the certification criteria, the EDPB has assessed the Application and Target of Evaluation Preliminary Checks and Controls (A); the Europrivacy GDPR Core Criteria (G); the Technological and Organisatio nal Measures Checks and Controls (T), provided along with the certification criteria.

¶23

Furthermore, the Board notes in this regard that, the “Complementary contextual checks and controls” 2 , provided along with the certification criteria approved with the Previous EDPB Opinion ( version 60 ), aimed at ensuring that the data processing involved in the ToE comply with domain - specific and technology - specific requirements 3 , were not approved by the EDPB in its Previous Opinion and that such “complementary contextual checks and controls” are no more present in the updated documentation provided in the context of the present Opinion.

¶24

The Board notes, as clarified in the definitions of the scheme, that references to “competent data protection authorities” throughout the scheme shall have the meaning of data protection authorities in the EEA 4 .

¶25

With regard to the definitions of Third Country law, the Board understands that it refers to the law applicable to the Applicant and/or to the personal data processed in the Target of Evaluation, to the extent that such law does not impose restrictions on the data protection rights which go beyond what is necessary and proportionate in a democrati c society to safeguard one of the objectives listed in Article 23 (1) GDPR, is proportionate to the objective pursued, respects the essence of the right to data pr otection, provides for specific measures to safeguard Data Subjects' fundamental rights and interests . 2.1 Scope of the certification mechanism and Target of Evaluation (ToE)

¶26

The EDPB recalls 5 , that the Europrivacy certification scheme is a general scheme in that it targets a large range of different processing operations performed by controllers and processors from various sectors of activity.

¶27

The Board welcomes that, in the documentation related to the scope of this certification scheme provided by LU SA, the amended Europrivacy scheme applies to: (i) controllers and processors established in the European Union (EU) or in the European Economic Area (EEA); (ii) controllers and processors established outside of the EEA who are subject to the GDPR pursuant to Article 3(2) GDPR either because they are offering goods or services to data subjects in the EEA or because they are monitoring the behaviour of data subjects in the EEA 6 . The applicability of the criteria is defined depending on the role and responsibilities of the applicant.

¶28

With respect to applicants under Article 3(2) GDPR located in a third country which are not subject to an adequacy decision encompassing the ToE, criterion A.2.1.6 defines conditions to be met when defining the ToE during the review of their application to certification. In particular, before considering a certification audit, it requires the certification body to check that the applicant is able to demonstrate that the national law and practice of the third country 2 T he EDPB d id not approve the “Complementary contextual checks and controls” in its Previous Opinion. 3 EDPB Previous Opinion, para graph s 7 and 8. 4 See the definition envisaged by the Europrivacy criteria for the ‘Competent SA’: “ “Competent Data Protection Authority” refers to data protection authorities in the EEA. Overall, it refers to the national data protection authorities that have competenc e to enforce compliance of the personal data processed by the Target of Evaluation. In the case of a GDPR certification delivered to a Data Importer under Art icle 46 GDPR, the competent Data Protection Authority is the one of the Data Exporter in the EEA, except for lodging a complaint where any authority in the EEA is competent ” . 5 EDPB Previous Opinion, para graph 6. 6 See EDPB Guidelines on the territorial scope of the GDPR (Article 3), Version 2.1, adopted on 12 November 2019, Section 2. 6 | Adopted does not hinder the applicant’s compliance with the certification requirements. If this is not the case, the certification process will stop during the application phase.

¶29

The Board notes that a data controller can submit to the Europrivacy certification process a ToE which is subject to joint controllership (criteri on A.2.1.5). In case the ToE is subject to joint controllership, the Board wishes to underline that the accredited certification body will have to carefully conduct the application process to ensure that the ToE is meaningful and that the applicant is fully responsible for the compliance of the ToE with all obligations under the GDPR that the certification scheme aims at demonstrating. As a consequence, the arrangement concluded between the applicant and the other joint controllers involved in the ToE with regards to their respective responsibilities for compliance with the obligations under the GDPR might – depending on the context of the processing activities of the ToE – prevent the applicant to fulfil the certification criteria. 2.2 Processing operations

¶30

As the EDPB noted in its Previous Opinion, the certification criteria address the relevant components of the processing operations (data, systems, and processing) with respect to the general scope of the certification scheme. In particular, the certificati on criteria allow identifying special categories of data as defined in Article 9 GDPR (section G.2 of the criteria on Special Data Processing). 2.3 Lawfulness of processing

¶31

As the EDPB stated in its Previous Opinion on the certification criteria already approved (version 60), the certification criteria require checking the lawfulness of the data processing for each individual processing operations in the ToE and require check ing the requirements of a legal basis as defined in Article 6 GDPR (section G.1 of the criteria on Lawfulness of Data Processing). In particular, the Board welcomes that the updated certification criteria require that the consent of the data subjects cover each purpose for which the processing is carried out and that the withdrawal of consent must not result in a detriment to the data subject.

¶32

Furthermore, as noted in the EDPB Previous Opinion, the certification criteria require checking the specific requirements of the conditions under which, according to Article 9(2) GDPR, the processing of special categories of personal data is allowed (secti on G.2.1 of the criteria on Special Data Processing) and providing additional restrictions and safeguards for the rights and freedoms of the data subject. The certification criteria also require checking the requirements of the conditions defined in Articl e 10 GDPR for the processing of personal data relating to criminal convictions and offences (section G.2.2 of the criteria), where applicable. In this regard, the Board also welcomes that the updated certification criteria (criterion G.2.1.3 on Additional safeguards for processing of special categories of personal data) also require that the applicant shall have additional restrictions and safeguards in place, adapted to the specific nature of the data and the corresponding risks, when special categories o f personal data is involved in the processing.

¶33

In addition, with respect to applicants under Article 3(2) GDPR located in a third country which are not subject to an adequacy decision encompassing the ToE, the updated certification criteria require the applicant to provide a report prepared by a legal expert assessing that the national law and practice of the third country do not prevent the fulfilment of its data protection obligations under the GDPR . Similarly, the assessment shall include that the national law of the third country does not impose res trictions on the data protection rights which go beyond what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, is proportionate to the objective pursued, respects the essence 7 | Adopted of the right to data protection, provides for specific measures to safeguard data subjects' fundamental rights and interests. It has also to be reviewed whenever regulatory or organisational changes may hinder the compliance with the criteria or affect the T oE or the Data Subjects' rights and the Certification Body should be informed (criterion G.1.1.5).

¶34

In this context, the updated certification criteria clarif y in the guidance that “ where an Applicant is established outside of the EEA benefiting from an adequacy decision relevant to the processing carried out in the ToE , compliance with this requirement may be demonstrated through a simplified report ” . According to those criteria, s uch report should have assessed whether the adequacy decision is in force and document the reasons why the ToE falls under the scope of the adequacy decision ” (criterion G.1.1.5, letter F) . 2.4 Principles of data processing

¶35

The EDPB recalls that, the certification criteria adequately address the data protection principles pursuant to Article 5 GDPR. In particular, the updated certification criteria extend and further elaborate on the principle of purpose limitation, by including a dedicated criterion requiring to demonstrate that the personal data are not further processed in a manner which is incompatible with those purposes and that any further pr ocessing should be separately assessed as lawful and that an assessment of th e purpose compatibility is conducted and duly documented for further processing of the data (criterion G.1.1.6). 2.5 General obligations of controllers and processors

¶36

The EDPB reminds that t he certification criteria 7 reflect the obligations of the controller pursuant to A rticle 24 GDPR (G.4 on Data Controller Responsibility) and require the evaluation of processor - controller contractual agreements in accordance with Article 28 GDPR (section G.5 of the criteria on Data Processors or sub - Processors).

¶37

Furthermore, the Board welcomes the addition that the certification criteria require the applicant under Article 3(2) GDPR to designate an office or a representative in the EEA pursuant to Article 27 GDPR w hose contact details are available on the a pplicant's website ( criterion G.4.1.4). The Board takes note of these certification criteria and recalls that this is not always a mandatory obligation for controllers and processors pursuant to GDPR, thus the conditions laid down in Article 27 GDPR shall be born e in mind.

¶38

In addition, the EDPB notes, as stated in its Previous Opinion, that t he certification criteria require all applicants to appoint a Data Protection Officer (DPO) even in the case where the applicant is not required to designate a DPO according to Article 37 GDPR. The criteria check that the DPO meet s the requirements under Articles 37 to

¶39

(section G.9 of the criteria on Data Protection Officer). 39 Similarly, t he certification criteria require to check the content of the records of processing of activities in accordance with Article 30 GDPR (section G.5.3 of the criteria on Records of processing activities) . In this regard, the Board welcomes that for applicants under Article 3(2) GDPR the updated certification criteria require that they cooperate with requests made by the competent DPAs in the EEA and make available to them, upon request, the record of proc essing activities (criterion G.5.3.5 ). 7 Previous EDPB Opinion, para graph 15. 8 | Adopted

¶40

In the same vein, the EDPB notes that some additional certification criteria have been included regarding the engagement of sub - processors for applicants acting as controllers or as processors (Section G.5.1.2 on Engaging sub - processors). This distinction allows to better reflect the separation of roles and responsibilities among the actors in the processing chain . 2.6 Rights of the data subjects

¶41

As in its Previous Opinion, the EDPB recalls that the certification criteria adequately address data subject’s right to information in accordance with Chapter III GDPR and require respective measures to be put in place 8 . The certification criteria also require to put in place measures providing for the possibility to intervene in the processing operation in order to guarantee data subjects’ rights and allow corrections, erasure or restrictions (section G.3 of the criteri a on Rights of the Data Subjects).

¶42

In addition, the EDPB welcomes the improvements that took place in the certification criteria with regard to the information to be provided to data subjects (section G 3.2 on Information to be provided where personal data are collected from the data subject and section G.3.3 on Information to be provided where personal data have not been obtained from the data subject ), the modalities of communication to data subjects 9 and for exercising data subjects rights 10 (section G 3.1 on T ransparent information, communication and modalities for exercising the rights of the data subjects ), as well as the right of access (Section G 3.4 on Right of access by the data subject), to erasure (Section G.3.6 on Right to erasure (‘right to be forgotten’)), to restriction of processing (criterion G 3.7.1 on the R ight to restriction of processing ), the n otification obligation regarding rectification or erasure of personal data or restriction of processing (criterion G.3.8.2 on the Duty to inform data su bjects on recipients if requested ), the right to object (Section G.3.10 on Right to object) and the right not to be subject to automated individual decision - making, including profiling (Section G.3.11 on Right not to be subject to automated individual decision - making, including profiling ). 2.7 Risks for the rights and freedom

¶43

The EDPB has already stated in its Previous Opinion that the certification criteria require assessing the risk to the rights and freedoms of natural persons of the data processing involved in the ToE in accordance with Article 35 GDPR (section G.8 of the c riteria on Duty to assess if Data Protection Impact Assessment (DPIA) is required) 11 .

¶44

The EDPB welcomes the changes made in the certification criteria in order to provide that “the applicant shall have assessed, with a repeatable methodology, the risks that are presented by the processing, that may impact the rights and freedoms of the natu ral persons” (section G.6.2.4 on Risk assessment for data processing).

¶45

Furthermore, the EDPB welcomes the further additions and details that the certification criteria introduced. For instance, the EDPB takes note of the addition made to the DPIA process 8 Previous l EDPB Opinion, para graph 19. 9 For instance, criterion G.3.1.1 on the Duty to inform in a clear language further elaborates on the information on the data processing provided by the applicant to the data subject, which now includes that (i) it should be provided in writing or by other means, (ii) it should be available in the official language(s) of the applicant and (iii) available in the language of the ta rgeted data subjects. 10 For instance, criterion G.3.1.3 on E nsuring proper data subject rights management and recording now requires the applicant to have a procedure or a mechanism in place to also confirm the reception of the request to the data subject and to keep r ecords of also the data subject requests with the date of receptio n. 11 Previous EDPB Opinion, para graph 20. 9 | Adopted regarding situations, where the applicant is not required to perform a DPIA, (section G.8.2.1 on DPIA Process requirements). 2.8 Technical and organisational measures guaranteeing protection

¶46

As noted in the EDPB Previous Opinion, the certification criteria require the application of technical and organisational measures providing for confidentiality, integrity and availability of processing operations. The criteria also require the application of technical measures to implement data protection by design and by default in accordance with Article 25 and Article 32 GDPR (section G.6 of the criteria on Data protection by Design and by default and security of processing, Section G.6.2 of the criteri a on Security of processing and Section on T criteria) 12 . In this regard, the Board welcomes that the amended certification criteria further elaborate (Section G.6.1.2 on Data minimisation by default) on the rules and procedures that the applicant shall apply in order to comply with these criteria.

¶47

As underlined in the EDPB Previous Opinion, the certification criteria require the application of measures to ensure that personal data breach notification duties are carried out in due time and in scope in accordance with Article 33 and 34 GDPR (section G .7 of the criteria on Management of Data Breaches).

¶48

In this regard, the Board notes that the certification criteria have been further improved and elaborated. More specifically, the certification criteria now include a more detailed list (section G.7.1.1. on Duty to document data breaches) as to the inform ation that the applicant must document where a data breach occurs (e.g. the categories of personal data that are or may be affected , the approximate number of data subjects that are or may be affected; the categories and approximate number of personal data records it concerns or may concern , the likely consequences of the personal data breach ). 2.9 Criteria for the purpose of demonstrating the existence of appropriate safeguards for transfer of personal data

¶49

As the Board affirmed in its Previous Opinion, t he certification criteria require identifying all personal data transfers to third countries and to international organizations involved in the ToE and substantiating the choice made regarding the data transfer mechanism providing for appropriate safeguards , pursuant to Chapter V GDPR (section G.10 – on Transfers of personal data to third countries or international organisations) .

¶50

The EDPB acknowledges that , for applicants under Article 3(2) GDPR, these certification criteria will appl y both in case of transfers of personal data involved in the ToE to entities located in the same third country where the applicant is located or in a different third country .

¶51

In addition, the Board welcomes that the certification criteria regarding transfers of personal data have now been further elaborated and provide more clearly the obligations of the 12 Previous EDPB Opinion, para graph 21. 10 | Adopted applicant with regards to this matter (Section G.10.1 on General obligations for international transfers of personal data to third countries or to international organisations). 3 A dditional C riteria for a E uropean D ata P rotection S eal 52. According to the Guidelines, the assessment shall include the question on “whether the criteria are able to take into account Member State data protection laws or scenarios”. As affirmed in the EDPB Previous Opinion, Section G.1.1.3 of the certification cr iteria requires the applicant to provide such an assessment in a National Obligations Compliance Assessment Report (NOCAR). Such report shall include an assessment of the national obligations applicable to the ToE and will document the measures taken by th e applicant to comply with applicable rules and, possibly, ongoing corrective actions. The applicant shall not use the key complementary national requirements list provided by the scheme owner for each country as an exhaustive list of national obligations relevant for the ToE. The indicative list of minimal complementary checks and controls requirement provided by the scheme owner are not criteria of certification in the scope of this Opinion.

¶53

The Board welcomes the adjustments made to the NOCAR in the updated criteria (Section G.1.1.3 on the National Obligations Compliance Assessment). In particular, it is now clarified that the applicant should document in a National Obligations Compliance Assessment Report (NOCAR) the assessment made on the compliance of the data processing “ with the complementary EEA national obligations related to personal data protection applicable to the applicant ”. In particular, the NOCAR should contain, among others, a clear identification of the ToE that has been assessed, the list of identified complementary EEA national data protection obligations applicable to the ToE as well as the evaluation of compliance of the ToE with the identified complementary EEA national data protection obligations. The Board considers that i n case the applicant is established outside the EEA and is subject to Article 3(2) GDPR, EEA national data protection obligations applicable to the ToE are to be determined on the basis of the location o f the data subjects to whom the applicant is offering goods or services or whose behaviour is under monitoring. 4 Conclusions / Recommendations

¶54

By way of conclusion, the EDPB considers that the Europrivacy certification criteria are consistent with the GDPR and approves them pursuant to the task of the Board defined in A rticle 70(1)(o) GDPR, resulting in a common certification (European Data Protection Seal).

¶55

The EDPB considers the certification criteria to form an integral part of the certification scheme and will register the Europrivacy certification scheme in the public register of certification mechanisms and data protection seals and marks and make the criteria publicly available pursuant to Article 42(8) GDPR. 5 Final remarks 11 | Adopted

¶56

This Opinion is addressed to the LU SA and will be made public pursuant to Article 64(5)(b) GDPR. For the European Data Protection Board The Chair Anu Talus

Similar Content