Date Published 14/07/2022
Guidelines on Certification for Transfers
The European Data Protection Board (the ‘’EDPB’’) have recently issued draft guidelines on certification as a tool for transfers which are currently open for public consultation. Since the CJEU’s Shrems II decision the transfer of data to third countries has been widely discussed and these guidelines will be of assistance to controllers and processors who wish to use certification to demonstrate compliance with their GDPR obligations.
Background:
Certification is provided for under article 42 of the General Data Protection Regulation (GDPR) and provides that the establishment of data protection certification mechanisms and data protection seals and marks for the purpose of demonstrating compliance with GDPR of processing operations by controllers and processors shall be encouraged. Article 46 of the General Data Protection Regulation provides that a controller or processor may only transfer personal data to a third country if the controller or processor has provided appropriate safeguards. Article 46(2)(f) provides that an appropriate safeguard may be provided for through an approved certification mechanism pursuant to Article 42 in addition to having a binding and enforceable commitment from the Controller/ Processor in the third country that they will apply the safeguards.
Certification:
When certification is used as transfer tool, the EDPB suggests that it must aim at ensuring adequate safeguards are in place when processing personal data out of the EEA in accordance with GDPR. As set out in the EDPB guidelines 1/2018, certification does not prove compliance however, it is an element which can be used to demonstrate compliance. The data exporter must verify the certification that it intends to rely upon is effective. In particular it must check that it is valid, covers the processing which will occur and ensure that there is a binding certification agreement in place.
Process of certification and bodies involved:
The certification process is a voluntary and transparent process. The EDPB outlines that certification is based on the evaluation of certification criteria according to a binding audit methodology. The criteria are approved by the national supervisory authorities or the EDPB. In Ireland the Data Protection Commission is the relevant supervisory authority responsible for approval of data protection criteria in certification schemes and the Irish National Accreditation Board is responsible for the accreditation of Certification
Bodies that intends on operating these schemes.
In addition to the criteria outlined in the EDPB Guidelines 1/2018 the EDPB considers that the following criteria should also be included: assessing the legislation in place in the relevant third country legislation, general obligations of exporters and importers, rules on onward transfers and redress and enforcement.
Conclusion:
Certification is an effective accountability tool which can put controllers and processors in a strong position when they are required to show that appropriate safeguards are in place and that they have complied with their GDPR obligations. It is also beneficial to data subjects as it allows them to assess the level of data protection provided by an organisation.