On 24 February 2023, the European Data Protection Board (EDPB) published the final version of its Guidelines 07/2022 on certification as a tool for transfers (the Guidelines). The Guidelines complement the Guidelines 1/2018 on certification adopted on 4 June 2019.
While the guidelines adopted in 2019 provide general guidance on certification tools, the Guidelines addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool.
The adoption of these Guidelines is an opportunity for undertakings to take a closer look at a specific certification mechanism: the very first European Data Protection Seal pursuant to Art. 42(5) GDPR, adopted on 10 October 2022 by the EDPB.
The Q&A below gives an overview of the main takeaways of the European Data Protection Seal, including when it is used in the context of international transfer of personal data.
1. What is a data protection seal under the GDPR?
Under the GDPR, data protection seals and marks are mechanisms that may be used to demonstrate compliance with the obligations of the controller and the processor. The GDPR encourages the establishment of such mechanisms, which allow data subjects to quickly assess the level of data protection of relevant products and services.
Specific criteria and requirements must be met by controllers in order to use a certain data protection seal.
The use of such seal is always optional. All data protection seals and marks shall be registered by the EDPB in a register and made publicly available(1).
2. What is the European Data Protection Seal?
Article 42(5) GDPR enables supervisory authorities to issue a certification mechanism based on certain criteria. Where these criteria are approved by the EDPB, this may result in a common certification, the European Data Protection Seal.
The European Data Protection Seal has validity is all Member States. It allows controllers and processors (even if located in different countries) to certify that selected data processing activities are GDPR-compliant.
The “Europrivacy v.60 criteria” (Europrivacy criteria) was drafted by the European Centre for Certification and Privacy, located in Luxembourg. The Europrivacy criteria encompasses a wide range of data processing operations carried out by controllers and processors in many sectors, and is based on the data protection requirements set forth in the GDPR.
The Supervisory Authority of Luxemburg submitted the Europrivacy criteria of certification to the EDPB for approval on 28 September 2022.
With its Opinion 28/2022 on the Europrivacy criteria of certification dated 10 October 2022, the EDPB approved the Europrivacy criteria, thus approving the very first European Data Protection Seal.
It must be noted that the data processing of genetic data is excluded from the scope of this European Data Protection Seal.
3. What do the Europrivacy criteria entail?
The main criteria are composed of the “Core (GDPR) criteria” and of the “TOMs checks and controls” concerning technological and organisational measures implemented to secure the processed personal data.
A set of the “TOMs checks and controls” criteria are only applicable if the so-called “Target of Evaluation” (“ToE”), (i.e. the processing activities selected for certification) concerns special categories of data, criminal offense related data, or personal data of a child.
The Europrivacy criteria also include “Complementary contextual checks and controls” aiming to ensure that the data processing involved in the ToE complies with domain-specific and technology specific requirements.
The Europrivacy criteria require e.g. the following:
verification of the lawfulness of the data processing for each individual processing operations in the ToE,
demonstration that the processed personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
evaluation of processor-controller contractual agreements in accordance with Article 28 GDPR,
appointment of a Data Protection Officer (DPO) even in the case where the applicant is not required to designate a DPO according to Article 37 GDPR,
verification of the content of the records of processing activities in accordance with Article 30 GDPR,
implementation of measures with respect to data subject’s rights under the GDPR,
assessing the risk to the rights and freedoms of natural persons of the data processing involved in the ToE,
application of technical measures to implement data protection by design and by default in accordance with Article 25 and 32 GDPR,
application of measure to ensure that personal data breach notification duties are carried out in due time and scope in accordance with Article 33 and 34 GDPR.
The Europrivacy criteria also require identifying all personal data transfers to third countries and to international organisations involved in the ToE and substantiating the choice made regarding the appropriate safeguards in place, in accordance with Chapter V of the GDPR.
However, the European Data Protection Seal does not as such constitute an appropriate safeguard for international transfer of personal data (see question 7 below).
4. Can the European Data Protection Seal be used in situations of joint controllership?
Yes
A data controller can submit to the Europrivacy certification process a ToE which is subject to joint controllership.
However, in such a case, the arrangement between the applicant and the other joint controller(s) involved in the ToE regarding their respective responsibilities further to the GDPR might prevent the applicant from fulfilling the criteria of certification (depending on the context of the processing activities of the ToE).
5. How to get certified using the European Data Protection Seal?
Obtaining the European Data Protection Seal for certain processing operations involves the following steps:
preparatory stage: compliance with the Europrivacy criteria must be documented and submitted by the applicant;
certification stage: compliance with the Europrivacy criteria is certified by a qualified Certification Body;
monitoring stage: compliance with the Europrivacy criteria must be maintained and is monitored, including by way of yearly surveillance audits.
6. Are there legal restrictions regarding the transfer of personal data outside the EEA?
Yes.
As a general principle, transfers of personal data outside the European Economic Area (EEA) are prohibited by the GDPR, unless the recipient third country ensures an adequate level of protection for the transferred personal data (2).
The European Commission may decide that a third country ensures such an adequate level of protection by issuing an adequacy decision, in which case the transfer can take place without any specific authorisation(3) .
In the absence of an adequacy decision, international data transfers can only take place if the data
exporter implements appropriate safeguards, and provided that enforceable rights and effective legal
remedies are available to data subjects(4).
Pursuant to Article 46(2) (f) GDPR, such appropriate safeguards may be provided for by an approved
certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.
As a result, the data exporter might decide to rely on the certification obtained by a data importer as an element to demonstrate compliance with its obligations.
7. Is the European Data Protection Seal an appropriate safeguard for international transfers of personal data?
Yes, if combined with binding and enforceable commitments.
The EDPB indicated in its Opinion 28/2022 that the Europrivacy certification mechanism does not as such provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.
However, further to the Guidelines, a European Data Protection Seal for international data transfers may serve as a tool to cover transfers to third countries together with binding and enforceable commitments to apply the appropriate safeguards provided by the certification mechanism.
Therefore, the European Data Protection Seal could be used as an appropriate safeguard if it is combined with e.g. a contract between the data exporter and data importer(5).
commits to comply with the rules specified in the certification intended for transfers;
warrants it has no reason to believe that the laws and practices in the third country applicable to the processing at stake (including any requirements to disclose personal data or measures authorising access by public authorities) prevent it from fulfilling its commitments under the certification;
will inform the exporter of any relevant changes in the legislation or practice in this regard.