In the absence of an adequacy decision, data exporters (controllers and processors) may rely on certifications mechanisms as appropriate safeguards for transfers of personal data to third countries.[1] Certification mechanisms may be developed and established to demonstrate the existence of appropriate safeguards provided by data importers (controllers or processors) in third countries in order to allow for personal data transfers to third countries.[2] Certified third-country data importers (controllers or processors) shall in addition to the certification make binding and enforceable commitments, via contractual of other legally binding instruments, to apply the safeguards upon which the certification is based on[3].
Certification mechanisms must be approved by the competent supervisory authority and comply with articles 42 and 46 (2) f) of the GDPR[4] as well as with the EDPB Guidelines 07/2022 on certification as a tool for transfers[5] in order to constitute appropriate safeguards within the framework of transfers of personal data to third countries or international organisations. Further information can be found in the EDPB Guidelines 07/2022 on certification as a tool for transfers. These guidelines provide guidance on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different actors involved. Furthermore, they contain specific requirements for accreditation of a certification bodies andspecific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers. Finally, they clarify the elements that should be addressed in the binding and enforceable commitments that data importers (controllers or processors) in the third country not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries.
Certification as a tool transfer can cover transfers from all EU countries (EU-Seal) or just transfers from one EU member state to the third countries (national certification). In the latter case, the national authority approves the certification mechanism following an EDPB opinion. In case of an EU-Seal, the EDPB approves the certification mechanism. Once the certification as tool for transfers is approved, data importers form third countries can apply for certification with certification bodies. Data exporters transferring data to certified data importers can then rely on the certification mechanism as an appropriate safeguard.
Further information on the approval procedure can be found in the EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation.
In accordance with article 4 of the Regulation n°7/2020 of 3 April 2020 of the National Data Protection Commission laying down the amount and payment terms of the fees within the framework of its powers of authorisation and consultation, each scheme owner, who submits to the CNPD an application for approval of a certification scheme pursuant to Article 42 (5) of the GDPR, must pay a fee to the CNPD the amount of which depends on the step of the procedure.
[1] Article 46, paragraph 2, letter f) of the GDPR.
[2] Articles 42 and 46, paragraph 2, letter f) of the GDPR.
[3] Article 42, paragraph 2 of the GDPR.
[4] See Articles 40, 42 and 46 of the GDPR.
[5] EDPB Guidelines 07/2022 of 14 February 2023 on Certification as tool for transfers.