The European Data Protection Board (EDPB) has adopted Opinion 15/2026, recognising the Europrivacy certification criteria as a European Data Protection Seal that can be used as a tool for international data transfers under Articles 42 and 46 of the GDPR. This is the first time the Board has approved any certification criteria as a transfer mechanism — adding a new option to the compliance toolkit alongside Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Under the approved scheme, data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification to demonstrate that they provide appropriate safeguards for the personal data they receive. The EDPB simultaneously adopted Opinion 14/2026, approving version 82 of the Europrivacy criteria as a general European Data Protection Seal under Article 42(5), extending coverage to controllers and processors established outside Europe who are subject to Article 3(2) GDPR because they offer goods or services to individuals in Europe or monitor their behaviour.

The practical significance of the transfer seal should not be overstated at this stage — the mechanism is new, and uptake will depend on how quickly certification bodies operationalise it and how the market responds. However, it represents a structural shift in how cross-border data flows can be legitimised, particularly for organisations that find SCCs administratively burdensome or BCRs disproportionate for their scale.

The opinions were adopted at the EDPB's plenary meeting on 16 April 2026, alongside draft guidelines on processing personal data for scientific research and a decision to establish a sprint team to finalise the long-awaited anonymisation guidelines by summer.

Acompli perspective: A new transfer tool does not eliminate the need for transfer impact assessments — but it does expand the options. Organisations managing complex international data flows should evaluate whether Europrivacy certification could simplify their third-party risk posture, particularly for data importers in jurisdictions where adequacy decisions do not apply. In the meantime, ensuring your records of processing accurately reflect all cross-border transfers remains the baseline expectation.