If personal data is to be transferred from the EU to countries outside the European Economic Area (EEA), either an adequacy decision by the EU Commission for the respective country must be in place, or other safeguards must be taken to ensure that a level of protection comparable to the General Data Protection Regulation (GDPR) exists for the transferred data in the third country. One such safeguard recognised by Art. 46 GDPR is certification.
Since this mechanism has not yet been applied in practice, on 14 June 2022, the European Data Protection Board (EDPB) published draft guidelines on certification as a tool for international data transfers. The text of the guidelines is now open for public consultation until the end of September 2022.
Background: data transfers to third countries
International data transfers are an integral part of many companies’ business practices. Art. 44 GDPR clarifies that personal data can only be transferred to third countries if, in addition to the other provisions of the GDPR, the provisions of Chapter 5 of the GDPR (International Data Transfers) are adhered to.
Accordingly, any data transfer must, amongst other requirements, be lawful under Art. 6 GDPR, comply with the data protection principles in Art. 5 GDPR and, in the case of special categories of data, comply with Art. 9 GDPR.
Moreover, according to Chapter 5 of the GDPR, personal data can only be transferred if the recipient country has a data protection level equivalent to that in the EEA, which has been confirmed by an adequacy decision by the EU Commission (Art. 45 GDPR), or if other safeguards provided by the GDPR (see Art. 46 GDPR) are used by the controller or processor transferring the data in order to ensure an adequate level of protection. Art. 46 GDPR specifies in this regard that,
“in the absence of a decision pursuant to Article 45 (3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processors has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.
According to Art. 46 (2) (f) GDPR, approved certification mechanisms (Art. 42 GDPR), combined with binding and enforceable commitments by the controller or processor in the third country to apply adequate safeguards, can be such a tool for transferring personal data in the absence of an adequacy decision. Even though this mechanism was introduced by the GDPR, it has not yet been used in practice. The guidelines published by the EDPB, therefore aim to further clarify and explain the practical application of this transfer tool.
The Guidelines on certification as a tool for data transfers
On 14 June 2022, the EDPB adopted draft guidelines that aim to clarify the use of certification as a tool for international data transfers, and in particular, how Art. 46 (2) (f) and 42 (2) GDPR are applied. The guidelines complement the guidelines on the definition of certification criteria and on the accreditation of certification bodies. The draft is open to public consultation until the end of September. Following that, the final version of the guidelines will be adopted.
The guidelines are divided in four parts, covering general questions like objective, scope and different actors involved, “implementing guidance on accreditation requirements for certification bodies”, “specific certification criteria”, and “binding and enforceable commitments to be implemented”.
The overall aim is to create a certification mechanism that allows data importers to demonstrate the existence of adequate safeguards to address the specific risks associated with the transfer of personal data from the entity established in the EU through the certification. Hence, it is the data importer who will be granted a certification. The data exporters, on the other hand, may rely on this certification as a tool to demonstrate that controllers or processors outside the EEA (the data importers) provide adequate safeguards with respect to the specific risks of the international data transfer, as GDPR compliance remains the data exporters’ responsibility. The certification can also include taking additional measures to ensure compliance with the data protection level in the EU.
Certification schemes are issued, in accordance with Art. 42 (5) GDPR, by accredited certification bodies or supervisory authorities. Provided that they fulfil certain requirements and are approved by the EDPB or supervisory authorities prior, certification bodies can also be private organisations.
The criteria that must be met in order to be granted certification are to be defined and approved by the EDPB or the competent supervisory authorities (see Art. 42 (5) GDPR). Guidance on the certification criteria has been published by the EDPB in their guidelines on the definition of certification criteria.
The new guidelines establish some additional criteria that a certification mechanism should include if it is to be used as a tool for international data transfers. These criteria include, in particular, an assessment of the third country’s legislation, importers’ and exporters’ general obligations, rules regarding onward transfers, redress and enforcement, processes and actions for situations where national legislation and practices hinder compliance with commitments made as part of certification and third country authorities’ data access requests.
In order to use certification as a transfer tool under Art. 46 GDPR, the data exporter must ensure that the data importer’s certification is valid and has not expired, and that it covers the specific intended transfer. Moreover, the exporter has to verify whether the scope of certification covers the transit of personal data, if onward transfers occur and if adequate documentation is provided in this regard. In addition, the exporter has to verify that there is a legally binding document (e.g., a ‘certification agreement‘ or another contract) between the certification body and the data importer in which the importer makes a binding commitment to apply the certification criteria to all personal data transferred under this certification. The use of certification as a tool for the transfer should also be included in data processing agreements between controller and processor or data sharing agreements.
The guidelines also clarify that the data exporter has to conduct an assessment on whether the respective certification provides an effective safeguard in view of the law and practices in the third country. Depending on the outcome, additional measures may need to be taken.
Expanding the toolbox for GDPR-compliant international data transfers
So far, the most common tool used under Art. 46 GDPR to transfer data to third countries in the absence of an adequacy decision are Standard Contractual Clauses (SCCs), into which the sender of the data can enter with the receiving company in the third country.
However, the guidelines might be an important step to add another actionable instrument to the toolbox for international data transfers, which could help to further facilitate them. It will be interesting to see what changes and additions the public consultation will bring. We will keep you updated on this.