Written by: Haim Ravia, Dotan Hammer
On April 16, 2026, the EDPB adopted two opinions — Opinion 14/2026 and Opinion 15/2026 — approving updated Europrivacy certification criteria, marking two distinct and significant milestones in the evolution of the GDPR’s certification and international data transfer frameworks.
Opinion 14/2026 approves version 82 of the Europrivacy certification criteria as a European Data Protection Seal pursuant to Article 42(5) of the GDPR, enabling controllers and processors to demonstrate compliance with GDPR requirements through certification. The EDPB had first approved the Europrivacy certification criteria on October 10, 2022, through Opinion 28/2022, as the first-ever European Data Protection Seal. That original scheme (version 60) was limited to entities within the EU/EEA. The updated version 82 now extends the scope to controllers and processors established outside Europe who are subject to Article 3(2) of the GDPR — either because they provide goods or services to individuals in Europe or because they monitor their behavior. This means that, for the first time, non-EEA entities subject to the GDPR can apply for Europrivacy certification to demonstrate their compliance.
Opinion 15/2026 goes further by approving a separate, dedicated set of Europrivacy certification criteria as a European Data Protection Seal to be used as a tool for international data transfers in accordance with Articles 42 and 46 of the GDPR. This is the first time the EDPB has approved any certification criteria as a transfer tool — providing organizations with a new mechanism, alongside Standard Contractual Clauses and Binding Corporate Rules, for lawful cross-border data transfers.
Under this scheme, data importers located outside Europe who are not subject to the GDPR can apply for certification to demonstrate the existence of appropriate safeguards for the personal data they receive from the EEA. The certification must be combined with binding and enforceable commitments by the data importer. The certification criteria require the applicant to maintain a clear mapping of all personal data flows in scope, identify all transfers to third countries and international organizations, and adopt appropriate transfer grounds in line with Chapter V of the GDPR. The criteria also address onward transfers and require procedures for notifying competent EEA data protection authorities and data subjects in the event of a personal data breach.
The EDPB emphasized that certification remains a voluntary accountability tool — adherence to a certification mechanism does not prevent supervisory authorities from exercising their powers under the GDPR. Exporters remain responsible for verifying that the certification is valid, applicable to the specific transfer, and sufficient in context.
The scheme was developed by the European Center for Certification and Privacy, which serves as the scheme owner.
Click here to read EDPB Opinion 14/2026 on the updated Europrivacy certification criteria (GDPR compliance).
Click here to read EDPB Opinion 15/2026 on the Europrivacy certification as a transfer tool.
