Transfer to a third country
Certification and certification mechanisms
Certification and certification mechanisms are a type of additional safeguard under the GDPR. Certification is a form of tool that can be used to contribute to a high level of data protection. It may also be used to prove that the processing of personal data is in accordance with the GDPR. Certification as a tool can be used by both controllers and processors.
Criteria for certification are set out in the certification scheme
There are some specific criteria for becoming certified, and these are gathered in a so-called certification scheme. The actor who owns and is responsible for the development of the certification scheme may, for example, be an authority, academic institution or a private company.
For example, criteria in a certification scheme may refer to the organisational and technical security measures applied by the certified actor. Certification is a tool that underpins the principle of accountability.
Accredited and independent certification body
One of the requirements to be certified and obtain a certificate is that an application to an accredited and independent certification body needs to be made by the company who wants to be certified. The purpose of such a certification body is to examine whether the applicant meets the criteria of the certification scheme. This may be done, inter alia, by the certification body reviewing control documents, drawing up reports or conducting interviews with authorised staff of the applicant operator.
National accreditation body
Each EU member state can have a national accreditation body, which can accredit certification bodies in the country. Furthermore, the data protection authorities of the Member States can determine the requirements for such accreditation of certification bodies.
If the criteria are intended to be used throughout the EEA, it is instead for the European Data Protection Board (EDPB) to approve the criteria.
The EDPB has published guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679).
European data protection seal
The company who obtains an approved certification receives a European data protection seal. This data protection seal can be applied to the processing of personal data throughout the EU/EEA area, and is beneficial for companies operating in several Member States.
In addition, it is a competitive advantage to have such a certificate for data processors. This is because the certificate then confirms that the processor has provided sufficient guarantees in accordance with Art. 28 para. 1 GDPR. Pursuant to that clause, controllers shall engage only processors that have provided sufficient guarantees to implement appropriate technical and organisational measures so that the processing complies with the requirements of the GDPR and ensures that the rights of the data subject are protected.
The legal importance of a certificate
A certificate means that the processing meets the criteria of a certification scheme, which is evidenced by assessments and the documentation on which the certification is based. However, it does not show that an individual processing of personal data actually meets the requirements of the GDPR.
On the other hand, there must be a high level of data protection for the processing of personal data that is covered by a certification. This is something that data protection authorities pay particular attention to, should a certified processing be subject to supervision, fines or other remedial measures.
Transfer of personal data to third countries with certification as a transfer tool
A recipient of personal data in a third country may have joined an approved certification scheme. In such cases, the transfer of personal data to the recipient in that third country may be permitted. This presupposes that the certificate imposes enforceable and legally binding obligations on the operator receiving the personal data.
Guidelines on certification as a basis for the transfer of personal data to third countries have been developed by the EDPB. They provide more guidance and information on the requirements for a certification scheme as a transfer tool. The guidelines also provide information on how to get a certification scheme approved. Here you can read the EDPB Guidelines 07/2022 on certification as a tool for transfers).
Learn more about GDPR
Binding corporate rules are another safeguard for transfers to third countries
A group of companies may establish binding corporate rules as an additional safeguard for transfers of personal data to third countries. After that, the rules must be approved by the responsible data protection authority. Other data protection authorities in the EU/EEA area will have the opportunity to give their opinion on the provisions. The same applies to the European Data Protection Board. If approved by the responsible data protection authority, the company may transfer the personal data with the support of the binding corporate rules.