The European Data Protection Board (EDPB) has adopted, on 16 June 2022, the draft guidelines on certification as a tool for transfers of data to third countries without adequacy status (the Guidelines). The text of the Guidelines is now published by the EDPB for public consultation.
Approved certification mechanisms under Art. 46(2)(f) GDPR, in combination with binding and enforceable commitments of the third country controller or processor to apply appropriate safeguards, were introduced by the GDPR and have not yet been used in practice. The new Guidelines describe a two-step test applicable to international transfers, and how the certification mechanism can be relied upon by data exporters.
The Guidelines focus on the following aspects of the certification mechanism:
- the purpose, scope and the different actors involved;
- implementing guidance on accreditation requirements for certification bodies;
- specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and
- the binding and enforceable commitments to be implemented.
The Guidelines clarify that the object of the certification can be a single processing operation or a set of operations, and can comprise governance processes (as organisational measures) being an integral part of a processing operation. The Guidelines clarify that the data exporters may rely on certification as the tool of transfer to demonstrate the existence of appropriate safeguard provided by the controllers or processors outside EEA in relation to specific risks of transferring the data. The data exporter must verify that the certification of data importer is valid, has not expired, that it covers the specific transfer to be carried out and whether transit of data is in the scope of certification. It must also check whether the onward transfers are involved and that there is adequate documentation in place for those transfers. In addition, the exporter must verify that there is a legally binding document (eg a contract or a ‘certification agreement’) between the certification body and the data importer with commitments of the importer to apply the certification criteria to all personal data transferred under this certification. The use of certification as tool for transfer should also be referred to in the controller-processor agreement or in data sharing agreement, depending on the roles of the parties.
Furthermore, the EDPB states that the data exporter must undertake a transfer impact assessment to establish whether the certification would provide an effective tool in light of the law and practices in the third country (and may partially rely on the assessment provided by data importer as one of the elements of this assessment). If necessary, additional supplementary measures, on top of measures provided as part of the certification, might need to be put in place in specific cases.
The Guidance further sets out many practical aspects of certification criteria, additional exporter safeguards, situations when national legislation prevents compliance with commitments taken as part of certification, implementation of binding and enforceable commitments (including minimum requirements for the content of a contract or similar instrument containing these commitments), and an annex with examples of supplementary measures that can be implemented by data importer in case the scope of certification covers the transit of data.
The Guidelines will be subject to public consultation until 30 September 2022.
Read the EDPB press release here and the Guidelines here.