The European Data Protection Board (EDPB) has adopted a first version of guidelines on an AVG certificate as a transfer instrument. These guidelines contain conditions for sharing personal data with countries outside Europe on the basis of an AVG certificate and a transfer contract.
With an AVG certificate, an organization can demonstrate that its internal processes are in line with the General Data Protection Regulation (AVG). And that the organization also applies those processes correctly.
To obtain such a certificate, a company must be audited by an accredited certification body. Currently, there are no accredited certification bodies in the Netherlands, but there are expected to be in the future.
An AVG certificate can be the basis for securely sending personal data from the European Union (EU) to countries outside the EU. European companies demonstrate with such a certificate that they have properly implemented the AVG both inside and outside the EU.
Also, foreign companies located outside the EU that offer products and services to people in the EU from abroad can use such a certificate to show that they are operating in line with the AVG.
They do this by getting certified and entering into an additional transfer contract. In this way, AVG certificates can serve as a transfer instrument (1).
On AVG certification as a transfer tool, Guidelines on certification as tools for transfers have now been published (2).
These guidelines are not yet final. Anyone who wishes to do so may comment on the guidelines through the EDPB website through September 30, 2022. Following this consultation, the EDPB will adopt the final guidelines.
AVG Certificate (3);
Guidelines on Certification of the EDPB (4), Annex 2 (5) and the Addendum (6).
"The story doesn't quite add up. The principle of AVG certificates has been around for 4 years. Currently two types are already deployed, namely AVG certificate with national scope and with European scope. The new thing (with this third type) is that there are now guidelines for deploying an AVG certificate as a pass-through tool. So: that you can use an AVG certificate (plus transfer contract) to share personal data with countries outside of Europe.
What is new about this compared to the first 2 is that the auditor checks companies not only whether the company complies with the AVG within the EU, but also whether it complies outside the EU. Indeed, when processing personal data outside the EU, additional things must be arranged to process data securely there. That extra protection is regulated in particular through the additional transfer contract and through a number of additional review criteria that auditors check for."
https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internationaal/doorgifte-binnen-en-buiten-de-eu
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-072022-certification-tool-transfers_en
https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/avg-certificaat
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2018/guidelines-12018-certification-and-identifying_en
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2019/guidelines-12018-certification-and-identifying_en
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidance-certification-criteria-assessment_en
