The European Data Protection Board this week approved a new version of the Europrivacy certification scheme as a tool for transferring personal data to third countries, issuing Opinion 15/2026 on 15 April 2026. The decision marks a significant step in the GDPR's cross-border transfer framework, giving data importers located outside the European Economic Area a formal certification pathway to demonstrate that the protection guaranteed by the GDPR will follow data after it leaves the EEA.

The opinion was adopted under Article 64(2) GDPR, which requires the EDPB to approve certification criteria when a supervisory authority proposes a scheme intended to operate across all EEA Member States. In this case, the Luxembourg supervisory authority - the LU SA - submitted the application on 29 January 2026. The decision on the file's completeness was taken on 31 March 2026, triggering the eight-week assessment clock. Today's opinion, adopted two weeks before that deadline expires, concludes that the criteria are consistent with the GDPR and formally approves them.

The scheme was developed by the European Center for Certification and Privacy, which serves as the scheme owner. It builds on an earlier version of Europrivacy that the EDPB had already approved on 10 October 2022, issuing Opinion 28/2022 as a European Data Protection Seal under Article 42(5) GDPR to demonstrate compliance for controllers and processors subject to the GDPR. That original scheme, version 60, was not designed for cross-border transfers. The newly approved scheme, version 82, extends the framework to cover a distinct and harder problem: certifying data importers in third countries that sit entirely outside the GDPR's territorial scope under Article 3.

What Article 46(2)(f) GDPR actually requires

The legal architecture here is precise. Under Article 46(2)(f) GDPR, a certification mechanism approved pursuant to Article 42 GDPR can serve as an appropriate safeguard for transfers to third countries - but only if it is accompanied by binding and enforceable commitments from the data importer to apply the safeguards contained in the certification criteria, including as regards data subjects' rights. Without those commitments, the certification alone is not sufficient.

According to the opinion, transfers of personal data to the data importer in the third country can only take place after the importer has been certified and has signed binding and enforceable commitments vis-a-vis the EEA data exporter. The scheme provides a template contract for this purpose, and the criteria specify in detail what those commitments must contain. Among the obligations listed: recognising data subjects as third-party beneficiaries with the right to enforce the certification rules directly against the importer; cooperating with EEA data protection authorities competent for the exporter, including accepting their audits and inspections; abiding by any binding decision issued in EEA member state courts; processing the received data only while the certificate remains valid; and returning or deleting the data if the certificate is withdrawn.

The scheme is distinct from the more commonly used Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021. SCCs are contractual instruments that bind parties by agreement. The Europrivacy scheme, by contrast, combines a formal certification process conducted by an accredited third-party certification body with the contractual commitments, creating a dual-layer assurance structure.

This matters for marketing and advertising technology companies that operate global data flows. Many ad tech vendors based in the United States or elsewhere process audience data, targeting signals, and measurement information that originates with EEA users and is transferred by EEA publishers or advertisers acting as data exporters. The certification pathway under Article 46(2)(f) offers those vendors a mechanism to demonstrate GDPR-equivalent protection without requiring the data exporter to individually negotiate and assess contractual terms each time.

The scope of the scheme and its technical structure

The Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46, designated EP-CS.1.DI, is intended specifically for controllers or processors located outside the EEA that are not subject to the GDPR under Article 3. It can cover a single transfer or a set of transfers where those transfers are closely correlated. The Target of Evaluation - the ToE - covers processing operations performed on the transferred personal data, including the transit of data if that transit is under the control of the same importer.

One boundary is clearly drawn. According to the opinion, the scope of this certification scheme does not cover joint controllers, and where joint controllership is included in the ToE, the certification body must decline to deliver certification. This is not a procedural footnote; it eliminates an entire category of processing structures from the scheme's coverage. Joint controllership arrangements - common in programmatic advertising where demand-side platforms and data management platforms share purpose-setting authority - would need to rely on other transfer mechanisms.

The EDPB assessed three components of the criteria during its review: the Application and Target of Evaluation - Preliminary Checks and Controls for Data Importers (ADI); the Europrivacy GDPR Core Criteria for Data Importers (GI); and the Technical and Organisational Measures Checks and Controls (T). The three-part structure reflects the full lifecycle of a data transfer: eligibility and scoping before certification, substantive GDPR-mapped requirements during certification, and technical security controls verified as part of the audit.

A specific procedural point relates to timing. According to the opinion, the Europrivacy scheme clarifies that transfers cannot start before certification is delivered. This means the audit and certification process must complete before any live personal data flows to the importer. The EDPB acknowledged that prior to transfer, assessments can be conducted using fake data or non-personal data for specific criteria, and that once transfer has started, the auditor must reassess those criteria at the next surveillance audit.

Data protection principles and subject rights

The certification criteria are structured to map against the GDPR's core substantive provisions. Section GI.1 addresses the Article 5 principles of lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Under criterion GI.1.1.2, purpose limitation is specifically addressed, requiring that transferred personal data be processed only for the purposes for which it was transferred. The only exemptions under which further processing for different purposes is permitted mirror those in the current SCCs: prior informed consent, legal obligation, vital interests of the data subject, and legal claims.

The criteria also require applicants to conduct a written assessment of whether the law and practice in the third country prevent compliance with the Europrivacy criteria. This country-law assessment must be reviewed whenever regulatory or organisational changes may affect compliance or data subjects' rights. If the third-country laws and practices are found to hinder compliance, according to criterion ADI.2.1.5, the certification process stops at the application phase.

On data subjects' rights, the criteria address the full set of Chapter III GDPR entitlements. Section GI.3 requires that applicants have procedures to handle data subject requests and, where no action is taken on a request, to inform the subject of the reasons, the right to lodge a complaint with an EEA data protection authority, and the right to seek a judicial remedy.

A notable requirement concerns Data Protection Officers. The certification criteria require all applicants to appoint a DPO, even in cases where the applicant would not be required to designate one under Article 37 GDPR - which sets the obligation only for certain categories of processing. The DPO must meet the same requirements set out in Articles 37 to 39 GDPR. The EDPB noted this requirement in the opinion without objection, while observing that DPO appointment is not mandatory under GDPR for all controllers and processors.

Data breach obligations and transfer impact assessments

The criteria address breach documentation and notification with precision. Criterion GI.7.1.1 requires applicants to document specific information when a breach occurs: the categories of personal data affected or potentially affected, the approximate number of data subjects affected or potentially affected, the categories and approximate number of personal data records concerned, and the likely consequences of the breach. This mirrors the documentation standard in Article 33(5) GDPR.

When a breach is likely to result in a risk to the rights and freedoms of natural persons, criterion GI.7.1.2 requires the applicant to have rules or mechanisms in place to notify the EEA data protection authority competent for the exporter and to communicate to affected data subjects consistently with Articles 33 and 34 GDPR.

On the transfer safeguards side, the criteria require that applicants have performed a Transfer Impact Assessment under criterion GI.10.1.5 and, where necessary, adopted supplementary measures to ensure that the level of protection of the transferred data is not undermined. This parallels the supplementary measures framework that the EDPB set out following the Schrems II judgment of the Court of Justice of the EU in July 2020. According to criterion GI.11.1.3, where compliance with the certification requirements cannot be ensured, the data importer must inform the exporter and the transfer must be suspended or stopped.

What the scheme will be registered as

According to the opinion, the EDPB will register the Europrivacy certification scheme in the public register of certification mechanisms, data protection seals, and marks, and will make the criteria publicly available pursuant to Article 42(8) GDPR. The opinion is addressed to the Luxembourg supervisory authority and will be made public pursuant to Article 64(5)(b) GDPR. It was signed by EDPB Chair Anu Talus.

For the marketing and advertising industry, the practical relevance is concentrated in the data transfer compliance layer. Companies in the EEA that transfer personal data to processors or sub-processors in the United States, India, or other third countries face ongoing compliance obligations under Chapter V GDPR. The addition of an approved certification mechanism as a usable transfer tool expands the options available alongside adequacy decisions, SCCs, and Binding Corporate Rules. Unlike adequacy decisions - which cover entire countries and depend on Commission assessments of national legal systems - certification under Article 46(2)(f) is entity-specific and processing-specific. That specificity creates more targeted compliance evidence, though it also requires more active management by both the data exporter and the certification body.

The EDPB has been progressively building out its work on certification as a transfer tool as part of its 2024-2025 work programme, which identified opinions on certification as a tool for transfers as an explicit output. The approval of the Europrivacy scheme's transfer extension is one such output, delivered alongside Opinion 14/2026 on the updated core version 82 criteria adopted for compliance purposes. Together, the two opinions give the Europrivacy scheme a dual-function structure: demonstrating GDPR compliance for controllers and processors within the EEA's scope, and demonstrating appropriate safeguards for importers outside it.

The EDPB also noted that GDPR certifications remain voluntary accountability tools, and that adherence to a certification mechanism does not prevent supervisory authorities from exercising their powers under the GDPR. This is a standing reminder that certification reduces compliance risk but does not eliminate supervisory authority oversight - including with regard to the specific binding and enforceable commitments signed by the data importer.

For companies processing audience data across borders, the Europrivacy transfer certification joins a set of mechanisms that the marketing technology industry has watched closely since the Schrems II decision invalidated the EU-US Privacy Shield in 2020. GDPR's cross-border enforcement architecture has accumulated over 6,680 enforcement actions and 4.2 billion euros in fines since 2018, concentrating regulatory risk in precisely the areas where ad tech and martech data flows are most intensive.

Timeline

  • 10 October 2022 - EDPB adopts Opinion 28/2022, approving the Europrivacy certification criteria (version 60) as a European Data Protection Seal under Article 42(5) GDPR to demonstrate compliance with the GDPR. Not a transfer tool at this stage.
  • 4 June 2021 - European Commission adopts Implementing Decision (EU) 2021/914, establishing modernised Standard Contractual Clauses for transfers to third countries under GDPR.
  • 14 February 2023 - EDPB adopts Guidelines 07/2022 on certification as tool for transfers (Version 2.0), providing the framework against which transfer-related certification criteria are assessed.
  • 8 October 2024 - EDPB adopts its Work Programme 2024-2025, explicitly listing opinions on certification as a tool for transfers as a key action under data transfer mechanisms.
  • 29 January 2026 - Luxembourg supervisory authority (LU SA) submits to the EDPB an updated version of the Europrivacy criteria (version 82), extending scope to applicants under Article 3(2) GDPR, and separately submits the Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46, intended as a tool for transfers under Article 46(2)(f) GDPR.
  • 31 March 2026 - Decision on completeness of the file is taken, starting the assessment clock under Article 64(2) GDPR.
  • 15 April 2026 - EDPB adopts Opinion 14/2026 on the updated Europrivacy core criteria (version 82) and Opinion 15/2026 approving the Europrivacy transfer extension as a European Data Protection Seal to be used as a tool for transfers. EDPB Chair Anu Talus signs both opinions.

Summary

Who: The European Data Protection Board (EDPB), chaired by Anu Talus, approved the Europrivacy certification criteria developed by the European Center for Certification and Privacy. The Luxembourg supervisory authority submitted the application.

What: Opinion 15/2026 approves the Europrivacy Certification Scheme Extension for Certifying Data Importers under Article 46 as a European Data Protection Seal, enabling it to serve as a tool for transferring personal data from EEA exporters to non-EEA importers under Article 46(2)(f) GDPR. The EDPB will register the scheme in the public register of certification mechanisms and make the criteria publicly available.

When: The opinion was adopted on 15 April 2026. The LU SA submitted the application on 29 January 2026; file completeness was confirmed on 31 March 2026.

Where: The approval operates across all EEA Member States and covers transfers from any EEA data exporter to data importers located in third countries or international organisations outside the EEA.

Why: Article 46 GDPR requires that personal data transfers to third countries without an adequacy decision must be accompanied by appropriate safeguards. Certification under Article 46(2)(f), combined with binding and enforceable commitments from the data importer, provides one such safeguard. The Europrivacy scheme's approval gives organisations an additional certified transfer mechanism beyond SCCs and Binding Corporate Rules, with entity-specific and processing-specific scope.

Share this article
The link has been copied!