EDPB Approves European Data Protection Seals
EDPB approved the first European Data Protection Seals in April 2026, extending GDPR certification to non-EEA entities and adding a new international data transfer tool.
EDPB approves first European Data Protection Seals: what it means for your GDPR compliance
Quick summary
The EDPB’s April 2026 opinions expand how GDPR certification can be used. Non-EEA organizations can now apply for the European Data Protection Seal, and data importers outside Europe have a certification-based option for demonstrating appropriate safeguards for EU data transfers. Certification is still voluntary and does not replace GDPR obligations, but it gives organizations another recognized way to show accountability to regulators, partners, and customers.
For years, GDPR certification under Article 42 existed more in theory than in practice. Certification bodies were accredited slowly, approved schemes were limited, and the framework was almost entirely restricted to organizations within the EU.
That changed on April 16, 2026. The European Data Protection Board adopted two landmark opinions for the Europrivacy certification scheme that do something the GDPR's certification framework has never done before: make a European Data Protection Seal available to organizations outside Europe, and create the first-ever certification-based mechanism for international data transfers.
In this post, we look at exactly what was approved, why it matters, and what you should do with this information if your organization handles personal data from the EU.
What is a European Data Protection Seal?
A European Data Protection Seal is the highest tier of GDPR certification. It is issued when the European Data Protection Board formally reviews and approves certification criteria under Article 42(5) of the GDPR. Organizations that achieve certification under an approved seal can use it as structured, third-party-verified evidence of their data protection practices.
The first European Data Protection Seal was approved in October 2022, when the EDPB endorsed the original Europrivacy certification criteria through Opinion 28/2022. That original scheme was limited to entities established within the EU and EEA. The April 2026 approvals are the second and third European Data Protection Seals in the GDPR's history.
The scheme is developed and maintained by the European Center for Certification and Privacy, which acts as the scheme owner.
What did the EDPB approve in April 2026?
The EDPB adopted two opinions on April 16, 2026.
Opinion 14/2026: updated Europrivacy criteria (GDPR compliance)
Opinion 14/2026 approves version 82 of the Europrivacy certification criteria as a European Data Protection Seal under Article 42(5) of the GDPR.
The key change from the original 2022 scheme is the scope. The updated criteria now extend certification to controllers and processors established outside the EU and EEA who are subject to GDPR via Article 3(2) which covers organizations that offer goods or services to people in the EU, or that monitor the behavior of individuals in the EU, regardless of where the organization is based.
This is the first time a European Data Protection Seal has been available to non-EEA organizations. If your company is based in the US, Canada, Singapore, or anywhere else outside Europe, but GDPR applies to you because you serve EU residents, you can now apply for Europrivacy certification.
Opinion 15/2026: certification as a transfer tool (first of its kind)
Opinion 15/2026 approves a separate, dedicated set of Europrivacy certification criteria specifically designed as a tool for international data transfers under Articles 42 and 46 of the GDPR.
Under this scheme, data importers located outside Europe who are not subject to the GDPR can apply for certification to demonstrate that they maintain appropriate safeguards for the personal data they receive from the EEA. The certification must be combined with binding and enforceable commitments from the data importer.
This is the first time the EDPB has approved any certification criteria as a transfer tool. Before this, only Standard Contractual Clauses and Binding Corporate Rules were widely available as legal mechanisms for cross-border data transfers.
A new option alongside SCCs and BCRs
Before April 2026, organizations transferring personal data out of the EEA had two primary legal mechanisms: Standard Contractual Clauses and Binding Corporate Rules. The new Europrivacy transfer tool adds a third option.
Transfer mechanism | Who can use it | Typical timeline | Regulatory involvement |
|---|---|---|---|
Standard Contractual Clauses (SCCs) | Any data exporter or importer | Relatively quick to implement | Low (pre-approved by European Commission) |
Binding Corporate Rules (BCRs) | Multinational company groups only | 1 to 2 years typically | High (requires DPA approval) |
Europrivacy certification (new transfer tool) | Data importers outside the EU not subject to GDPR | Varies by certifying body | Medium (must be paired with binding and enforceable commitments from the importer) |
One thing is important to understand from the start. The new certification does not replace SCCs or BCRs. According to the EDPB, the certification must always be combined with binding and enforceable commitments from the data importer. The data exporter also remains responsible for verifying that the certification is valid, applicable to the specific transfer in question, and sufficient in context.
Think of certification as an accountability layer that adds structure and third-party verification to your transfer documentation, not a shortcut around the other requirements.
What does the certification require?
Organizations pursuing the Europrivacy transfer tool certification must meet specific criteria. Based on the EDPB's Opinion 15/2026, those requirements include:
Maintaining a clear mapping of all personal data flows within the scope of the certification
Identifying all transfers to third countries and international organizations
Adopting appropriate transfer grounds in line with Chapter V of the GDPR
Addressing onward transfers, meaning transfers from the importer to a further third party
Having documented procedures to notify competent EEA data protection authorities and affected individuals in the event of a personal data breach
The standard also requires the applicant to define the categories of personal data covered, the purposes of processing, and the technical and organizational measures in place to protect the data.
Does achieving certification mean you are fully GDPR compliant?
No, and the EDPB was explicit on this point. Certification is a voluntary accountability tool. Achieving Europrivacy certification does not prevent supervisory authorities from exercising their powers under the GDPR, including investigations, audits, or enforcement actions.
What certification does provide is structured, third-party-verified evidence that your organization has assessed its data protection practices against a recognized standard. That is meaningful in regulatory conversations and in demonstrating accountability, but it is not a legal shield and it does not guarantee any particular regulatory outcome.
Certification also covers specific aspects of GDPR compliance. It does not replace the full range of obligations under the regulation, including lawful bases for processing, data minimization, data subject rights, and consent management.
Who should pay attention to this development?
This matters most for three types of organizations.
Organizations outside the EU that are subject to GDPR via Article 3(2). If you offer goods or services to EU residents, or monitor their behavior online, GDPR applies to you regardless of where your company is incorporated. The updated Europrivacy criteria now give you a recognized European certification path to demonstrate your GDPR compliance posture. Previously, that option simply did not exist.
Data importers receiving EEA personal data who are not subject to GDPR. If your organization receives personal data from EEA-based customers or partners and you are not directly subject to GDPR, the new transfer tool certification gives you a structured way to demonstrate appropriate safeguards. This could simplify data transfer agreement negotiations and reduce due diligence friction with EEA counterparts.
Organizations managing multiple legal transfer mechanisms. If you currently rely on Standard Contractual Clauses as your primary transfer mechanism and want to add another layer of documented accountability, certification is now worth evaluating as a complementary tool. It is also a new standard against which you can evaluate the safeguards maintained by your third-party data importers.
Conclusion
The EDPB’s April 2026 opinions make GDPR certification more practical for organizations outside the EEA. Non-EEA companies can now pursue the European Data Protection Seal, while data importers have a new certification-based path for demonstrating appropriate safeguards for EU data transfers.
Certification remains voluntary and does not replace broader GDPR obligations. But for organizations handling EU personal data, it offers a recognized way to support accountability and demonstrate compliance posture.
If your organization is outside the EEA but handles EU personal data, GDPR certification may now be a more relevant part of your privacy program.
How Clym can help
Managing GDPR compliance involves more than a single certification or transfer mechanism. From cookie consent and privacy notices to data subject requests and consent records, there are multiple layers to get right across your website and digital properties.
Clym's consent management platform helps you build and manage those layers in one place, covering cookie consent, privacy policy generation, data subject rights management, and support for global regulations, including the GDPR.
Frequently asked questions
The European Data Protection Seal is a formal GDPR certification approved by the European Data Protection Board under Article 42(5). It means a certification scheme meets EU-wide data protection standards, and organizations that achieve it can use the certification as evidence of their GDPR compliance practices.
On April 16, 2026, the EDPB approved two opinions for the Europrivacy certification scheme. Opinion 14/2026 extends the existing European Data Protection Seal to non-EEA entities subject to GDPR. Opinion 15/2026 creates the first certification-based mechanism for international data transfers under Articles 42 and 46 of the GDPR.
Yes. The updated Europrivacy criteria (version 82) extend the European Data Protection Seal to controllers and processors established outside the EU or EEA who are subject to GDPR via Article 3(2), meaning organizations that offer goods or services to EU residents or monitor their behavior.
It is the first EDPB-approved certification scheme that data importers outside Europe can use as a legal mechanism for receiving personal data from the EEA. It must be combined with binding and enforceable commitments from the data importer, and data exporters remain responsible for verifying the certification is valid and applicable to the specific transfer.
SCCs are contractual clauses pre-approved by the European Commission that any data exporter or importer can use quickly. GDPR certification under the new transfer tool is a third-party-verified scheme that requires the importer to meet defined criteria and maintain binding commitments. The two mechanisms can be used together for stronger accountability documentation.
No. The EDPB confirmed that certification is voluntary and does not prevent supervisory authorities from exercising their enforcement powers. Certification provides third-party-verified evidence of your data protection practices for the areas covered, but it does not guarantee a legally compliant outcome across all GDPR obligations.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.