The European data protection seal as a certification tool

On 24 February 2023, the European Data Protection Board (EDPB) published the final version of its Guidelines 07/2022 on certification as a tool for transfers (the Guidelines). The Guidelines complement the Guidelines 1/2018 on certification adopted on 4 June 2019.

While the guidelines adopted in 2019 provide general guidance on certification tools, the Guidelines addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool.

The adoption of these Guidelines is an opportunity for undertakings to take a closer look at a specific certification mechanism: the very first European Data Protection Seal pursuant to Art. 42(5) GDPR, adopted on 10 October 2022 by the EDPB.

The Q&A below gives an overview of the main takeaways of the European Data Protection Seal, including when it is used in the context of international transfer of personal data.

Under the GDPR, data protection seals and marks are mechanisms that may be used to demonstrate compliance with the obligations of the controller and the processor. The GDPR encourages the establishment of such mechanisms, which allow data subjects to quickly assess the level of data protection of relevant products and services.

Specific criteria and requirements must be met by controllers in order to use a certain data protection seal.

The use of such seal is always optional. All data protection seals and marks shall be registered by the EDPB in a register and made publicly available(1).

Article 42(5) GDPR enables supervisory authorities to issue a certification mechanism based on certain criteria. Where these criteria are approved by the EDPB, this may result in a common certification, the European Data Protection Seal.

The European Data Protection Seal has validity is all Member States. It allows controllers and processors (even if located in different countries) to certify that selected data processing activities are GDPR-compliant.

The “Europrivacy v.60 criteria” (Europrivacy criteria) was drafted by the European Centre for Certification and Privacy, located in Luxembourg. The Europrivacy criteria encompasses a wide range of data processing operations carried out by controllers and processors in many sectors, and is based on the data protection requirements set forth in the GDPR.

The Supervisory Authority of Luxemburg submitted the Europrivacy criteria of certification to the EDPB for approval on 28 September 2022.

With its Opinion 28/2022 on the Europrivacy criteria of certification dated 10 October 2022, the EDPB approved the Europrivacy criteria, thus approving the very first European Data Protection Seal.

It must be noted that the data processing of genetic data is excluded from the scope of this European Data Protection Seal.

The main criteria are composed of the “Core (GDPR) criteria” and of the “TOMs checks and controls” concerning technological and organisational measures implemented to secure the processed personal data.

A set of the “TOMs checks and controls” criteria are only applicable if the so-called “Target of Evaluation” (“ToE”), (i.e. the processing activities selected for certification) concerns special categories of data, criminal offense related data, or personal data of a child.

The Europrivacy criteria also include “Complementary contextual checks and controls” aiming to ensure that the data processing involved in the ToE complies with domain-specific and technology specific requirements.

The Europrivacy criteria require e.g. the following:

• verification of the lawfulness of the data processing for each individual processing operations in the ToE,

• demonstration that the processed personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,

• evaluation of processor-controller contractual agreements in accordance with Article 28 GDPR,

• appointment of a Data Protection Officer (DPO) even in the case where the applicant is not required to designate a DPO according to Article 37 GDPR,

• verification of the content of the records of processing activities in accordance with Article 30 GDPR,

• implementation of measures with respect to data subject’s rights under the GDPR,

• assessing the risk to the rights and freedoms of natural persons of the data processing involved in the ToE,

• application of technical measures to implement data protection by design and by default in accordance with Article 25 and 32 GDPR,

• application of measure to ensure that personal data breach notification duties are carried out in due time and scope in accordance with Article 33 and 34 GDPR.

Yes

A data controller can submit to the Europrivacy certification process a ToE which is subject to joint controllership.

However, in such a case, the arrangement between the applicant and the other joint controller(s) involved in the ToE regarding their respective responsibilities further to the GDPR might prevent the applicant from fulfilling the criteria of certification (depending on the context of the processing activities of the ToE).

Yes.

As a general principle, transfers of personal data outside the European Economic Area (EEA) are prohibited by the GDPR, unless the recipient third country ensures an adequate level of protection for the transferred personal data (2).

The European Commission may decide that a third country ensures such an adequate level of protection by issuing an adequacy decision, in which case the transfer can take place without any specific authorisation(3) .

In the absence of an adequacy decision, international data transfers can only take place if the data

exporter implements appropriate safeguards, and provided that enforceable rights and effective legal

remedies are available to data subjects(4).

Pursuant to Article 46(2) (f) GDPR, such appropriate safeguards may be provided for by an approved

certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.

As a result, the data exporter might decide to rely on the certification obtained by a data importer as an element to demonstrate compliance with its obligations.

Yes, if combined with binding and enforceable commitments.

The EDPB indicated in its Opinion 28/2022 that the Europrivacy certification mechanism does not as such provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.

However, further to the Guidelines, a European Data Protection Seal for international data transfers may serve as a tool to cover transfers to third countries together with binding and enforceable commitments to apply the appropriate safeguards provided by the certification mechanism.

Therefore, the European Data Protection Seal could be used as an appropriate safeguard if it is combined with e.g. a contract between the data exporter and data importer(5).

• commits to comply with the rules specified in the certification intended for transfers;

• warrants it has no reason to believe that the laws and practices in the third country applicable to the processing at stake (including any requirements to disclose personal data or measures authorising access by public authorities) prevent it from fulfilling its commitments under the certification;

• will inform the exporter of any relevant changes in the legislation or practice in this regard.

Seal and how can Liedekerke help me?

Obtaining the European Data Protection Seal is an effective way for controllers to demonstrate (to clients, business partners, Data Protection Authorities, etc.) compliance with their obligations under the GDPR. In a press release issued on 17 October 2022, the European Commission noted that undertakings can use this certification scheme to increase the value of their businesses, and emphasises that the Europrivacy criteria is applicable to emerging technologies, such as AI, IoT, blockchain, automated cars, smart cities, etc.

Liedekerke has an extensive experience in all GDPR-related matters. Should you wish, our GDPR experts would be happy to assist you for each step of the certification process.

If you have any questions in this regard, do not hesitate to reach out to one of the members of the IP/IT/Data protection team of Liedekerke on their individual e-mail address or via ip/it-team@liedekerke.com.