Privacy, green light to the guidelines on data transfer outside the EU

The EDPB issues the rules on certification as a tool for data transfer to third countries. The document in consultation until the end of September 16 Jun 2022 Patrizia Licata journalist

A new piece of the GDPR can fully come into operation to protect the transfer of personal data of EU citizens to countries outside the European Economic Area. The EDPB Committee has adopted the certification guidelines as a tool for personal data transfers. The main purpose is to provide further clarification on the practical use of this tool provided for by the European Privacy Regulation. Art. 46(2)(f) of the Gdpr introduces, in fact, certification mechanisms approved as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. EDPB Vice-President Ventsislav Karadjov stressed that the guidelines "provide guidance on how this tool can be used in practice and how it can help maintain a high level of data protection when transferring personal data from the European Economic Area to third countries". Index of topics • Four-point guidelines • The decision on the Accor case and the privacy of hotel guests Four-point guidelines The guidelines consist of four parts, each focusing on specific aspects related to certification as a tool for transfers, such as the purpose, scope and different actors involved; implementation of guidelines on accreditation requirements for certification bodies; specific certification criteria in order to demonstrate the existence of adequate safeguards for transfers; and the binding and enforceable commitments to be implemented.

The new guidelines complement the 1/2018 certification guidelines, which provide more general guidance on certification. They will be the subject of public consultation until the end of September. The decision on the Accor case and the privacy of hotel guests Separately, the EDPB adopted a dispute resolution decision on the basis of Article 65 of the Gdpr. The binding decision seeks to remedy the lack of consensus on certain aspects of a draft decision issued by the SA (supervisory authority) French as lead supervisory authority ( LSA) against Accor, a company specialising in the hospitality sector whose head office is located in France, and the subsequent objections expressed by one of the supervisory authorities concerned (concerned supervisory authorities, Csa). The LSA issued the draft decision following an investigation based on a complaint against Accor regarding the failure to take into account the right to object to the receipt of marketing messages by post and/or the difficulties encountered in exercising the right of access. On 30 April 2021, the LSA shared its draft decision with the CSAs; a CSA raised objections, inter alia, to the amount of the penalty; in the absence of consensus, the dossier was referred to the EDPB for the resolution of the dispute. The EDPB has now adopted its binding decision. The decision addresses the substance of the part of the exception considered "relevant and reasoned". The decision will now be translated as a matter of urgency. Subsequently, the supervisory authorities concerned will be formally informed and the LSA will have to adopt its final decision, addressed to the controller.