Certification as a transfer tool
Last updated 3 June 2026
|
In brief
|
What has the EDPB actually approved?
The European Data Protection Board (EDPB) adopted two opinions on the Europrivacy scheme on 15 April 2026. Both were submitted by the Luxembourg supervisory authority (CNPD) and assessed through the consistency mechanism under GDPR Article 64.
Opinion 14/2026 approves the updated criteria (version 82) as a European Data Protection Seal under Article 42(5) and extends the scheme to organisations outside the EEA that fall under Article 3(2) – those offering goods or services to, or monitoring the behaviour of, individuals in the EEA.
Opinion 15/2026 goes further. For the first time, the EDPB has approved a dedicated set of criteria that a non-EEA data importer can use as a transfer tool under Articles 42 and 46(2)(f). The scheme owner is the European Center for Certification and Privacy, and the EDPB will enter the scheme in the public register of certification mechanisms (Article 42(8)).
Where does certification as a transfer tool fit in the GDPR?
Transfers of personal data out of the EEA are governed by GDPR Chapter V. The core rule is that the level of protection must travel with the data, so that the protection guaranteed by the GDPR is not undermined when the data is processed in a third country (Article 44). The framework offers several alternative bases:
| Mechanism | Legal basis | In brief |
|---|---|---|
| Adequacy decision | Art. 45 | The Commission finds the third country provides an adequate level of protection |
| Standard Contractual Clauses (SCCs) | Art. 46(2)(c) | The most common tool; requires a transfer impact assessment and, where needed, supplementary measures |
| Binding Corporate Rules (BCRs) | Art. 46(2)(b) | For transfers within a corporate group |
| Certification | Art. 46(2)(f) | New: Europrivacy approved by the EDPB in 2026 |
| Derogations | Art. 49 | Narrow, situation-specific grounds |
Certification as a transfer tool has been in the GDPR text since 2018, but remained a theoretical option in practice because no scheme had been approved for the purpose. Opinion 15/2026 changes that.
Under Article 46(2)(f), the appropriate safeguards may be provided by an approved certification mechanism under Article 42, together with binding and enforceable commitments by the data importer to apply the safeguards, including as regards data subjects’ rights.
Who is this relevant to – and why?
The new mechanism is mainly relevant to four groups.
EEA-based data exporters – including businesses across the Nordic region – with data flows out of the EEA, typically through cloud services, SaaS, intra-group services or outsourcing, gain a standardised and independently audited basis for transfers. For repeated transfers to the same importer, this may in time be simpler than building safeguards from scratch each time.
Non-EEA data importers – providers in the United States, the United Kingdom, India and elsewhere – can use certification to make themselves “transfer-ready” for European customers. It can be a competitive advantage, particularly for providers serving many European partners.
Organisations outside the EEA that fall under Article 3(2) can, following Opinion 14/2026, use the scheme to document GDPR compliance.
Data protection officers, privacy counsel and procurement and IT functions in businesses with international data flows should know the tool when selecting and documenting a transfer basis. For most organisations, SCCs will remain the primary tool for now.
What conditions apply before a transfer can take place?
A transfer cannot begin until the data importer is both certified and has signed binding and enforceable commitments towards the exporter. These commitments include recognising data subjects as third-party beneficiaries who can enforce the rules, cooperating with the EEA supervisory authority competent for the exporter (including audits and binding decisions), processing the data only while the certificate is valid, and returning or deleting the data if the certificate is withdrawn.
The exporter retains an independent responsibility. The exporter must verify that the certificate is valid and not expired, that it covers the specific transfer and any transit, and that the certification body is accredited. Reliance on the certification should be anchored in the Article 28 processor agreement or in a controller-to-controller data-sharing agreement, and data subjects must be informed of the safeguards used (Article 13(1)(f)).
The scheme applies to a defined processing activity – the Target of Evaluation – not to the organisation as a whole. Joint controllership is expressly excluded from the scheme for importers under Article 46.
Does this solve the Schrems II problem?
No – not on its own. This is the most important caveat. The criteria do build in the assessment of third-country law that Schrems II requires: before a certification audit, the certification body must check that the third country’s law and practice do not prevent compliance, and the importer must analyse local law, adopt supplementary measures where necessary, and suspend or stop the transfer if the level of protection cannot be ensured. The importer must also warrant that no local access or surveillance law prevents it from meeting its commitments.
Certification therefore standardises and audits the safeguards, but it does not make a problematic third country “adequate”. Where local law stands in the way, certification will not be granted, or the transfer must stop. Certification is also a voluntary accountability tool that does not limit supervisory authorities’ powers, and how the authorities will treat the mechanism in practice remains to be seen.
What should Nordic businesses do now?
The mechanism is approved but not yet fully operational. A measured starting point:
- Map your data flows out of the EEA and the current transfer basis for each one.
- As an exporter: consider whether certification may simplify repeated transfers to the same importer in time, but keep SCCs as your primary tool until the scheme is operational.
- In the importer role, or as a non-EEA provider: consider certification as documentation and a competitive advantage.
- Follow the operationalisation – accreditation of certification bodies is still pending, and the EDPB will enter the scheme in the public register.
- Remember that the exporter’s due diligence and third-country assessment remain regardless of certification. Document your assessments.
The Europrivacy approval expands the toolbox for third-country transfers for the first time in several years. For most, SCCs will remain the practical mainstay, but certification may become a genuine alternative – particularly in supply chains with many European customers.
This article is general information and does not replace specific legal advice. We are happy to assist with an assessment of your own data transfers.
Sources: EDPB Opinion 14/2026 and Opinion 15/2026; the GDPR (EUR-Lex).
|
About the author Kjell Steffner · Attorney-at-law (admitted to the Norwegian Bar) Partner and Head of Technology and IT, Nordia Law Oslo Advises on IT contracts, data protection and the GDPR, intellectual property and the legal aspects of artificial intelligence. |
