February 27, 2023
On February 24, 2023, the European Data Protection Board (“EDPB“) published its guidelines for the certification mechanism as a tool for international data transfers from a data exporter to a data importer (“Guidelines“) pursuant to Article 46(2)(f) GDPR, following a public consultation made in June, 2022.
Article 42 of the GDPR sets a basis for voluntary “Certification Mechanisms”. In short, the framework lay down by Articles 42-43 and the EDPB’s related guidelines should allow international certification bodies, such as the International Standardization Organization (ISO), to develop and approve standards, seals, and marks indicating GDPR compliance. Under section 46 of the GDPR, such certification, together with proper binding contractual commitment, can serve as a “Data Transfer” mechanism, allowing the transfer of Personal Data outside the EEA to a third country.
In 2019, the EDPB published guidelines providing the general criteria for granting such “GDPR certification” by competent bodies, such as verification of the lawfulness of processing, proof of contractual agreements, the implementation of technical and organizational measures, etc. It is important to note that though such guidelines are put in place, any such certification mechanism has not been approved yet. ISO has published iso 27701:2019, an extension to the iso 27001 standard pertaining to Privacy Information Management System – but such certification did not receive the EDPB approval yet.
However, the current Guidelines further explain some of the accreditation requirements applicable in the context of data transfers. In order to use certification as a mechanism for data transfer, the Guidelines emphasize the need to include a self-assessment of the processing performed by the data importer (including onward transfers), and of the third-country legal framework (including case laws) to verify it does not prevent the data importer from complying with its obligations under the certification. Simply put, the reliance upon certification as a data transfer mechanism per Article 46(2)(f) GDPR, does not obviate the need to ensure that the importing country law does not jeopardize the privacy of the transferred Personal Data (similarly to the supplementary transfer tools required pursuant to the EDPB recommendations following the Schrems II decision).
We at APM Technology and Regulation Team can assist our client with ensuring compliance with applicable law and implementing relevant certifications such as iso 27001, iso 27799, iso 27701, etc., and we will be happy to assist you in this regard.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as binding legal advice, but rather a practical overview based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.