On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers. These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.
These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework. The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.
The guidelines cover the creation of a certification mechanism for data importers, controllers and processors located outside of the EEA, in relation to a single processing operation or a set of operations. The certification would enable these data importers to demonstrate the existence of appropriate safeguards to address the specific risks associated with personal data transfers from the EEA-based entity.
According to the guidelines, the data exporter in the EEA is responsible for ensuring that the data importer’s certification is effective in light of the characteristics of the intended processing and the law and practices in force in the non-EEA country. The guidelines specifically mention that the data exporter should verify that there is a contract or another legal binding instrument between the certified data importer and the certification body.
The guidelines explain what is needed to set up such certification schemes. They also aim to help the Supervisory Authorities in reviewing and assessing certification criteria.
Relatedly, on May 13, 2022, the Luxembourg Supervisory Authority was the first authority to adopt a national GDPR certification mechanism. Organizations in Luxembourg can obtain this certification to demonstrate that their data processing activities comply with the GDPR. However, this certification tool is not a transfer mechanism under Art. 46 GDPR-.
* * *
The Covington team will keep monitoring the guidance released by the Supervisory Authorities and the EDPB relating to the CJEU’s Schrems II judgement, and is happy to assist with any inquiries on the topic.