The Italian Privacy Guarantor among the signatories of the document that establishes the rules on certification as a tool for data transfer outside Europe. Time until 30 September for the proposed changes 30 Jun 2022 L. O.
Privacy concept: digital screen with icon Closed Padlock, 3d render Companies and organizations will have until September 30 to propose changes to the "Guidelines on certifications as a tool for the transfer of personal data" to countries outside the European Economic Area, just approved by the European Privacy Guarantors within the EDPB. Index of topics • What the document in consultation contains • The 4 steps of the guidelines What the document in consultation contains The document put up for consultation, and to which the Italian Guarantor also contributed, provides clarifications and practical examples for the use of certifications as a tool for transferring the personal data of interested parties – such as their customers, employees, users – to third countries for which the adequacy has not been recognized by the European Commission.
The certification tool can prove to be of particular importance, says the Italian Privacy, "adding to other existing tools, such as standard contractual clauses, ad hoc contractual clauses and binding corporate rules". The 4 steps of the guidelines The newly approved guidelines consist of four parts and delve into specific aspects of certification as a tool for transfers. The first part analyzes general issues, including the role of those who import data into the third country that receives a certification and that of those who export them. In the second part, the Guarantors provide clarifications on some of the accreditation requirements of certification bodies (already contained in previous Edpb guidelines and in ISO 17065). The third part analyses the specific criteria for demonstrating the existence of adequate guarantees for the transfer, which relate in particular to the assessment of the legislation of third countries, the general obligations of exporters and importers, the rules on onward transfers, the rights of third party beneficiaries and the remedies available, the measures to be taken for situations where national legislation and practices prevent compliance with the commitments entered into by the importer in the context of certification and in cases of requests for access to data by authorities of third countries. Finally, in the fourth part, the binding and enforceable commitments to be implemented are addressed. In fact, the GDPR requires that data controllers and data processors not subject to the European Regulation, when they adhere to a certification mechanism intended for transfers, assume binding and enforceable commitments through contractual instruments or other legally binding instruments, regarding the guarantees provided for by the certification mechanism, also with regard to the rights of the interested parties.