The EDPB adopted guidelines on certification as a tool for transfers. Art. 46(2)(f) GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.
EDPB Deputy Chair Ventsislav Karadjov said: “These guidelines are ground-breaking, as they provide the very first practical guidance on certification as a tool for transfers – a new transfer tool introduced by the GDPR. The guidelines provide guidance on how this tool can be used in practice and how it can help maintain a high level of data protection when transferring personal data from the European Economic Area to third countries.”
The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification. The guidelines will be subject to public consultation until the end of September.
The EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French SA as lead supervisory authority (LSA) regarding Accor SA, a company specialised in the hospitality sector whose main establishment is located in France, and the subsequent objections expressed by one of the concerned supervisory authorities (CSAs).
The LSA issued the draft decision following a complaint-based inquiry into Accor SA, concerning a failure to take into account the right to object to the receipt of marketing messages by mail and/or difficulties encountered in exercising the right of access. On 30 April 2021, the LSA shared its draft decision with the CSAs in accordance with Art. 60(3) GDPR. One CSA issued objections pursuant to Art. 60(4) GDPR concerning, among others, the amount of the fine.
The SAs were unable to reach consensus on one of the objections, which was then referred by the LSA to the EDPB for determination pursuant to Art. 65(1)(a) GDPR, thereby initiating the dispute resolution procedure.
The EDPB has now adopted its binding decision. The decision addresses the merits of the part of the objection found to be “relevant and reasoned” in line with the requirements of Art. 4(24) GDPR.
The decision will now be urgently translated pursuant to Art. 11.6 of the EDPB Rules of Procedure. Next, the concerned supervisory authorities will be formally notified. The LSA shall adopt its final decision, addressed to the controller, on the basis of the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website without undue delay after the LSA has notified its national decision to the controller.
Note to editors:
The guidelines are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
The Art. 65 binding decision will bel published after the LSA has notified its final decision to the controller. For further information on the Art. 65 procedure, please consult the FAQ