On 16 April, the European Data Protection Board (EDPB) published two relevant opinions through which the Board approves, on the one hand, a new version of the Europrivacy certification scheme and, on the other, an extension of the scheme itself to allow its use as a mechanism for carrying out international data transfers in accordance with Article 46.2.f) of the GDPR:
- Opinion 14/2026 on the Europrivacy certification criteria in relation to its approval as a European Data Protection Seal pursuant to Article 42(5) of the GDPR;
- Opinion 15/2026 on those criteria regarding their use as a tool for international transfers pursuant to Articles 42 and 46 of the GDPR.
Below is a brief description of the main changes introduced in this certification scheme.
Update of certification criteria and extension of the Europrivacy scheme to entities located outside the European Economic Area (EEA) to which the GDPR applies pursuant to Article 3.2.
Through Opinion 14/2026, the EDPB has approved a new version (version 82) of the Europrivacy certification scheme.
The main change to highlight is the extension of the certification scheme to entities located outside the EEA to which the GDPR applies pursuant to Article 3.2.
Therefore, with this amendment, the Europrivacy scheme applies to:
- controllers and processors established in the European Union (EU) or the EEA; and
- controllers and processors established outside the EEA that are subject to the GDPR under Article 3(2), either because they offer goods or services to data subjects located in the EEA or because they monitor their behaviour.
In order to certify processing activities carried out by entities located outside the EEA (to which the GDPR applies), the new criteria require the applicant to provide a report prepared by a legal expert assessing that the legislation and practices of the third country do not prevent compliance with their data protection obligations under the GDPR. Additionally, where the applicant is established in a third country for which there is an adequacy decision applicable to the processing included in the Target of Evaluation (ToE), this requirement may be satisfied through a simplified report.
In line with the obligations set out in the GDPR, the new criteria establish that an applicant subject to Article 3.2. must designate a representative in the EEA in accordance with Article 27 of the GDPR, whose contact details must be available on its website (criterion G.4.1.4).
Furthermore, a relevant clarification is introduced regarding joint controllership, establishing that a controller may submit for certification a ToE in which joint controllership exists (criterion A.2.1.5).
It is also noteworthy the introduction of a specific criterion relating to possible further processing, which requires demonstrating that personal data will not be processed in a manner incompatible with the purposes for which they were collected. The lawfulness of any further processing must be assessed separately through an appropriate purpose compatibility assessment (criterion G.1.1.6).
Finally, the EDPB establishes that all certification processes initiated under the first version of the scheme (version 60) must be completed during 2026. From 2027 onwards, certificates may no longer be issued based on that version of the Europrivacy scheme.
Regarding the validity of certificates already granted, it is provided that, once 2029 has ended, the certification criteria approved under the previous version (v60) will be fully replaced by the new criteria (version 82).
Extension of Europrivacy as an offical mechanism for international data transfers under Article 46.2.f)
On the other hand, through Opinion 15/2026, the EDPB has approved an additional set of certification criteria (“Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46”), intended for use as an instrument for international data transfers in accordance with Article 46.2.f) of the GDPR.
This scheme is configured as an extension of the Europrivacy certification scheme, with the aim of certifying data importers (controllers or processors) established outside the EEA and not subject to the GDPR.
The EDPB clarifies that the scope of this scheme, as a transfer tool, differs from that of Europrivacy certification under Article 42.1. of the GDPR, insofar as it establishes specific criteria applicable to data importers located outside the EEA.
Among the most important aspects to highlight are the following:
- The scheme requires, in line with Article 46 of the GDPR, the assumption of binding and enforceable commitments by the importer towards the data exporter. To this end, Europrivacy provides a model of bilateral contractual clauses to formalise such commitments.
- The exporter must reflect the use of the certification as a transfer mechanism in the relevant contract (whether under Article 28 GDPR or in controller-to-controller agreements) and comply with the information obligations set out in Article 13.1.f) of the GDPR.
- A documented assessment must be carried out demonstrating that the legislation and practices of the third country do not prevent compliance with the Europrivacy criteria, respect the essence of fundamental rights, and do not exceed what is necessary and proportionate in a democratic society in accordance with Article 23.1 of the GDPR. This assessment must be updated in the event of relevant changes.
- The certification scheme requires the performance of a Transfer Impact Assessment (TIA) and, where appropriate, the adoption of supplementary measures. The certification body must verify, prior to the audit, that the applicant can demonstrate compliance with these requirements; otherwise, the certification process must be suspended.
- Transfers may only be initiated once certification has been granted and after the importer has entered into binding and enforceable commitments towards the EEA exporter.
- The scheme does not apply to cases of joint controllership. Consequently, if the ToE includes a situation of joint controllership, the certification body must refuse to issue the certificate.
- The scheme places particular emphasis on data subjects’ rights, including transparency, complaint handling, judicial redress, and cooperation with EEA supervisory authorities.
Finally, the EDPB highlights that the certification process must be suspended if the applicant cannot demonstrate that the legal framework of the third country allows compliance with the established criteria. The importer must keep its assessment up to date and notify any relevant changes that may affect the level of protection.
Conclusions
With the latest changes approved by the EDPB, Europrivacy evolves into a certification scheme with a global scope, expanding its reach both to extraterritorial entities subject to the GDPR and to data importers located outside the EEA.
The new criteria not only broaden the scope of Europrivacy as a certification scheme for processing activities, allowing certified entities to benefit from the advantages provided under the GDPR, but also strengthen its practical utility by enabling its use as a tool for international data transfers in accordance with Article 46.2.f) of the GDPR. In particular, this extension will make it possible to certify data importers receiving personal data from organisations located in the European Economic Area (exporters), providing such transfers with an additional framework of safeguards and legal certainty.
Europrivacy implementation services
ECIJA Barcelona is an Official Partner of Europrivacy and an authorised entity to provide implementation services for the scheme. ECIJA Barcelona has a specialised Europrivacy team composed of more than 10 professionals certified as Europrivacy Implementers and Auditors.
The services offered include, among others, support in selecting the processing activity or activities to be certified; preparation of the documentation required to submit the application to the certification body; conducting a gap analysis; designing the legal and organisational measures necessary to comply with the applicable criteria; support throughout the certification process; and annual certification maintenance activities.
For further information, interested entities may send an email to: europrivacy.barcelona@ecija.com
Privacy, Compliance and Cybersecurity Department of ECIJA Barcelona
