The first-ever European data protection seal
The first-ever European data protection seal
In October 2022, the European Data Protection Board (EDPB) approved the first-ever "European Data Protection Seal" under Article 42 (5) of the GDPR. While the certification only applies to a process as opposed to the organisation as a whole, it will be recognised in all EU countries.
Overview
In October 2022, The European Data Protection Board (EDPB) has approved the Europrivacy criteria for certification as the first-ever "European Data Protection Seal" (common certification) under Article 42 (5) of the GDPR. Certifications are important mechanisms defined in the GDPR as they enable controllers and processors to demonstrate compliance with GDPR. EDPB’s approval means that Europrivacy certificates will be officially recognised in all EU countries.
Notably, the certification applies to a process within an organisation as opposed to the organisation itself. In other words, an organisation as a whole cannot be certified as compliant under the Europrivacy criteria.
Notably, the Europrivacy criteria for certification is not the approved certification mechanism within the meaning of Article 46(2)(f) of the EU GPDR. Consequently, the certification cannot be relied on as a tool for international data transfers.
Why is this significant and what does it mean for me?
Europrivacy’s approved criteria does not have any direct impact on UK-based organisations. However, for UK organisations dealing with EU entities, the use of the European Data Protection Seal could serve as evidence that a specific process within an organisation is compliant with the EU GDPR and, likely, the UK data protection laws. This could help to alleviate any concerns as to privacy compliance and reduce the need to conduct a full due diligence check.
It remains to be seen how this development plays out. The Data Protection Seal focuses on processes rather than overall compliance. This begs the question as to how much uptake we will see by organisations across the EU. Technically, an organisation could have the Seal awarded across all its processes. However, this could be an lengthy process and there would still need to be regular updates and re-awarding of the Data Protection Seal every couple of years.
Nevertheless, it is an exciting development and is the first approved scheme of its type. It is another step towards a full certification scheme which is something that all organisations will want to adopt.
If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.