On 16 April 2026, the European Data Protection Board (EDPB) adopted two significant decisions regarding Europrivacy certification. First, it extended the scope of Europrivacy to controllers and processors established outside Europe who are subject to the GDPR under Article 3(2). Second — and this is the precedent-setting change — it approved a version of the Europrivacy certification criteria that can be used as a mechanism for international data transfers under Articles 42 and 46 GDPR.
Until now, GDPR certification functioned exclusively as a tool for demonstrating processing compliance — not as a basis for transferring personal data outside the EEA. This decision changes that.
What Is Europrivacy
Europrivacy is the first and so far only European Data Protection Seal approved by the EDPB under Article 42(5) GDPR. The original approval was issued in October 2022 (EDPB Opinion 28/2022). The seal confirms that a specific data processing activity meets GDPR requirements, following an independent audit by an accredited certification body.
Until April 2026, Europrivacy was available only to controllers and processors established in EU and EEA countries. The scope has now been extended.
What Changes from April 2026
Extension to Non-European Entities
Entities in third countries that are subject to the GDPR under Article 3(2) — meaning they offer goods or services to individuals in the EU or monitor their behaviour — can now apply for Europrivacy certification. A company in the US, Japan, or Brazil that processes personal data of EU individuals can use this mechanism to demonstrate compliance.
Europrivacy as a Transfer Mechanism (Article 46 GDPR)
This is the key change. The EDPB approved a separate version of Europrivacy criteria that may serve as part of appropriate safeguards for international data transfers — in accordance with Articles 42 and 46 GDPR.
In practice, this means that a data importer outside the EEA that obtains Europrivacy transfer certification may be considered as providing appropriate safeguards. The condition: binding and enforceable commitments must be in place towards the data exporter.
What This Means for Controllers and DPOs
A New Tool Alongside SCCs and BCRs
Until now, the main mechanisms for transferring data to third countries have been Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and — rarely used — adequacy decisions. Europrivacy certification joins this catalogue as an Article 46 GDPR mechanism.
Will it replace SCCs? Unlikely — at least not in the short term. SCCs remain the most widely used tool and do not require external auditing. Europrivacy requires a certification process, which involves costs and time.
When Europrivacy Makes Sense
Transfer certification under Europrivacy may be particularly useful where:
- an organisation wants to demonstrate importer compliance in a documented and independently verified manner — for example, during a supervisory authority inspection
- a data importer serves multiple EU exporters and wants a single mechanism confirming safeguards rather than negotiating SCCs with each exporter individually
- an organisation operates in a high-risk sector (health, finance, sensitive data) and needs a stronger argument than a signed set of SCCs
Limitations
Certification is not a standalone transfer mechanism — it requires additional binding commitments. It does not exempt controllers from conducting a Transfer Impact Assessment (TIA). It also does not mean automatic GDPR compliance — the certificate confirms compliance of a specific processing activity at a given point in time, not the entire organisation.
Context: Why the EDPB Is Opening Certification to Transfers
The GDPR has provided for certification as a transfer mechanism since 2018 (Article 42(2) in conjunction with Article 46(2)(f)). For eight years, no certification scheme had been approved in this role. Europrivacy is the first.
This coincides with several other EDPB initiatives aimed at simplifying GDPR application — including work on the Digital Omnibus, the EDPB 2025 Annual Report emphasising the need for certification tools, and activities under the Coordinated Enforcement Framework 2026.
Summary
The EDPB decision of 16 April 2026 makes Europrivacy the first certified mechanism for international personal data transfers under the GDPR. For most organisations, SCCs will remain the primary tool — but Europrivacy opens a new pathway, particularly for data importers serving multiple European partners. It is worth monitoring how supervisory authorities will treat this mechanism in enforcement practice.
Source: EDPB
FAQ
No. Europrivacy is an additional mechanism under Article 46 GDPR, joining the catalogue alongside SCCs and BCRs. It does not replace any existing tool — it expands the available options.
Data importers outside the EEA who receive personal data from EU exporters. Certification is conducted by accredited certification bodies and requires meeting a separate set of criteria approved by the EDPB.
No. The controller transferring data must still carry out a Transfer Impact Assessment and evaluate whether the law of the third country undermines the effectiveness of the safeguards.
Costs depend on the scope of certification and the certification body. The EDPB does not regulate pricing — costs are set by the market through accredited bodies.
No — a Europrivacy certificate relates to a specific data processing activity, not the entire organisation. Each activity requires a separate assessment.
Manage data transfers and processors in one place
iGDPR lets you document international data transfers, assign transfer mechanisms to processing activities, and manage data processing agreements — all linked to your record of processing activities. See how it works in practice.
START FREE TRIAL — 21 days, no commitment