During its plenary session of 15–16 April 2026, the European Data Protection Board (EDPB) adopted two opinions under Article 64 of the General Data Protection Regulation (GDPR) regarding developments in certification mechanisms.
A major step forward for international transfers
These are the first approved certification instruments enabling organisations outside the EEA to formally and demonstrably show that they have implemented the technical and organisational measures required to meet GDPR requirements based on certification criteria.
This development represents a step forward towards greater transparency, increased trust between international actors, and stronger safeguards for data transfers.
What changes in practice
In this context, two developments concerning the Europrivacy certification scheme have been approved:
- the Europrivacy European Data Protection Seal can now be used as an appropriate safeguard for international data transfers, in accordance with Articles 42 and 46 GDPR;
- the scheme has been extended to include organisations established outside the European Economic Area (EEA) but subject to the GDPR under Article 3(2).
These certification criteria were submitted to the European Data Protection Board by the National Commission for Data Protection (CNPD), acting as the competent authority for this scheme.
Strengthened role of certification mechanisms
These decisions provide important clarification on the role of certification mechanisms, confirming their place as a structured tool for GDPR compliance and governance of international data transfers.