The European Data Protection Board (EDPB) has approved the Europrivacy certification criteria for use as a European Data Protection Seal in the context of international data transfers under Articles 42 and 46 GDPR. In principle, certifications issued under the scheme may be relied upon as an Article 46(2)(f) transfer mechanism for certified data importers outside the EEA that are not subject to the GDPR pursuant to Article 3, provided that they enter into binding and enforceable commitments vis-à-vis the EEA data exporter.
Key takeaways
- The scheme is intended for data importers outside the EEA that are not subject to the GDPR pursuant to Article 3, and is designed to demonstrate “appropriate safeguards” for Chapter V transfers.
- Transfers may take place only where the importer has been certified and has entered into binding and enforceable commitments with the EEA exporter; transfers cannot begin before certification is granted.
- Applicants must assess whether third-country laws and practices could prevent compliance with the certification criteria and update that assessment where circumstances change.
- Where necessary, importers must implement supplementary measures; if an adequate level of protection cannot be ensured, the transfer should be suspended or terminated.
- The required commitments include granting enforceable rights to data subjects, cooperating with EEA supervisory authorities, complying with binding decisions, and returning or deleting the data if certification is withdrawn.
The full text of the opinion is available here.
