News form the June Plenary session. The guidance provides information about how to use certification in practice.
The European Data Protection Board has held its June plenary.
Guidance about certification as a tool for transfers
During the meeting, it adopted guidelines on certification as a tool for transfers. Article 46(2)(f) of GDPR introduced approved certification mechanisms as a new tool to transfer personal data to third countries if there is no adequacy agreement. The main purpose of the guidelines is to provide further clarification on how to use the transfer tool in practice.
The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different parties involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria to demonstrate the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification. The guidelines will be subject to public consultation until the end of September.
Accor dispute resolution decision
The EDPB has also adopted a dispute resolution decision under Article 65 of the GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French supervisory authority as lead supervisory authority (LSA) regarding Accor SA, a company specialised in the hospitality sector whose main establishment is located in France, and the subsequent objections expressed by one of the concerned supervisory authorities (CSAs).
The French LSA issued the draft decision following a complaint-based inquiry into Accor SA, concerning a failure to take into account the right to object to the receipt of marketing messages by mail and/or difficulties encountered in exercising the right of access. On 30 April 2021, the LSA shared its draft decision with the CSAs in accordance with Article 60(3). One CSA issued objections under Article 60(4) of the GDPR concerning, among other issues, the amount of the fine.
The supervisory authorities were unable to reach consensus on one of the objections, which was then referred by the French LSA to the EDPB for determination under Art. 65(1)(a), thereby initiating the dispute resolution procedure.
The EDPB has now adopted its binding decision. The decision addresses the merits of the part of the objection found to be “relevant and reasoned” under Article 4(24).
The decision will now be translated in accordance with the EDPB Rules of Procedure. Next, the concerned supervisory authorities will be formally notified. The LSA shall adopt its final decision, addressed to the data controller, based on the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website without undue delay after the LSA has notified its national decision to the data controller.