We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

GDPR TRANSFER CERTIFICATION

GDPR Transfer Certification
20 May

GDPR Transfer Certification

165 | CIPP-E Preparation | International Data Transfers Schrems II GDPR transfer certification Article 46 GDPR EDPB Opinion 15/2026 EDPB Opinion 14/2026 Europrivacy seal Shein DPC inquiry

For years, the international transfers sub-domain that covered codes of conduct and certifications sat as the dry corner of the CIPP/E Body of Knowledge. As of 16 April 2026, it is the live one. The EDPB has approved the first-ever GDPR transfer certification scheme; the Irish Data Protection Commission opened the Shein inquiry three weeks later. Two events, one effect: the question of certification as a transfer tool has moved from theoretical to operational, and the exam will follow.

GDPR Transfer Certification: What the EDPB Just Approved

The European Data Protection Board adopted two opinions on the Europrivacy scheme. Opinion 14/2026 approves the criteria as a European Data Protection Seal under Article 42(5) GDPR; this is compliance evidence, available to controllers and processors. Opinion 15/2026 goes further and approves a separate set of criteria as a transfer tool under Articles 42 and 46(2)(f) GDPR. Eight years after the GDPR introduced the possibility in Article 42(2), this is the first time the Board has actually approved any scheme for that role. GDPR transfer certification has, for the first time, a working instrument with EDPB sign-off behind it.

Two Roles for GDPR Transfer Certification, Not One

The CIPP/E exam tests the distinction between the two opinions because the same word, certification, does two different jobs.

A Data Protection Seal under Article 42(5) demonstrates that a controller's or processor's processing operations meet the GDPR. It is an internal compliance instrument; it lives in the same family as a DPIA approval or a code of conduct.

A transfer tool under Article 46(2)(f) does something else entirely. It substitutes for an adequacy decision in the absence of one, providing appropriate safeguards for a transfer outside the EEA when combined with binding and enforceable commitments by the importer. The certification on its own is not enough; the importer's binding commitments are the second leg.

A candidate who treats these two as interchangeable on the CIPP/E exam will pick the wrong answer, every single time.

When the Importer Sits Outside the EEA

This is the scenario the EDPB has now operationalised. An importer based outside the EEA, not itself subject to the GDPR through Article 3(2), obtains GDPR transfer certification under the Article 46 criteria. The importer then signs binding and enforceable commitments to apply the certified safeguards to the personal data it receives. The EEA-based exporter, in turn, relies on the combination of certification plus commitments as the appropriate safeguard required by Article 46(1).

The IAPP Body of Knowledge, which sets out every topic the CIPP/E exam can cover, treats this as a discrete answer choice alongside Standard Contractual Clauses and Binding Corporate Rules. The exam now has a fourth realistic option in the transfer-tool selection question, and the EDPB guidelines catalogue has just gained a substantial new entry.

Why the Shein Inquiry Still Matters

The same week the new certification scheme moved into operational territory, the Irish DPC announced an inquiry into Shein Ireland over EU-to-China data transfers from the company's Dublin EMEA headquarters. Cross the two events and the practical question lands. Even with an approved certification scheme in place, a transfer to a third country has to deliver protection essentially equivalent to the EU level. That is the Schrems II standard; it has not gone anywhere. The DPC inquiry sits precisely on that point. GDPR transfer certification or not, the questions the DPC will ask are the same. Did the exporter assess the legal environment in China? Did the supplementary measures cover government access? Did the safeguards survive in practice, not only on paper?

The mental model to carry into the exam: GDPR transfer certification adds a fourth tool to the toolbox; it does not lift the underlying obligation to verify essential equivalence. Confusing the two is the first distractor pattern the exam will test.

The TIA Does Not Disappear

Recommendations 01/2020 on supplementary measures still applies. Whichever transfer tool the exporter selects (SCCs, BCRs, certification under Article 46, ad hoc clauses, codes of conduct) the transfer impact assessment remains the exporter's responsibility. GDPR transfer certification removes none of it. Read carefully, Opinion 15/2026 acknowledges this directly; certification provides the safeguards framework, the TIA verifies whether those safeguards survive in the destination jurisdiction. Different test, different evidence, different chapter of the exam.

Three Patterns the CIPP/E Exam Will Test

The April 2026 development reshapes the transfer-mechanism question in three predictable ways. Each maps to a familiar distractor template, and each rewards candidates who read the actor and the obligation separately before reaching for a label.

The adequacy trap

A question frames certification as a substitute for an adequacy decision. It is not. An adequacy decision under Article 45 is a unilateral act of the European Commission about a third country's general legal framework. GDPR transfer certification under Article 46(2)(f) is a transaction-level mechanism, agreed between the parties, that operates in the absence of adequacy. The exam will reward candidates who keep the two clean.

The TIA trap

A question describes a transfer to a third country, lists the importer's certification, and asks for the next step. The wrong answer treats certification as a complete solution; the right answer keeps the transfer impact assessment alive. Recommendations 01/2020, again.

The tool-selection trap

A question describes a non-EU importer that is not itself subject to the GDPR, then asks which transfer tool fits. The correct answer is now scenario-dependent: SCCs, BCRs or GDPR transfer certification combined with binding commitments. The list has changed; candidates who memorised the old answer set will get this wrong.

A one-page summary covering the two EDPB Opinions, the transfer-tool selection question and the TIA reading is on its way; if you want a clean reference for revision week, watch the 22Academy Study page where new resources are posted as they go live.

Share this Post

Completely Up To Date

Completely Up To Date

Become an AI Governance Professional!

SAVE YOUR SEAT

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.