Two EDPB Opinions adopted on 16 April 2026 finally operationalise what the GDPR has allowed since 2018. That makes the Europrivacy transfer tool operational for the first time. Opinion 14/2026 confirms Europrivacy version 82 as a Data Protection Seal under Article 42(5). Opinion 15/2026 approves a separate set of criteria as an Article 46 transfer mechanism. Importers outside the EEA can use the Europrivacy transfer tool when combined with binding and enforceable commitments. For procurement teams running AI vendor files, that is a small text change with a large practical effect.
The EDPB three-criteria test still defines what counts as a transfer. The exporter is subject to GDPR; the data is disclosed or made available; the importer sits in a third country. Certification does not change that test. It changes the toolkit applied once the test is satisfied.
Two distinct Europrivacy use-cases
The first thing procurement teams need to register is that “Europrivacy” now refers to two things. They look similar on a vendor questionnaire. They are not the same instrument.
As a Data Protection Seal under Article 42(5)
The Article 42(5) version evidences GDPR compliance for entities that are themselves subject to the GDPR. That includes EU and EEA controllers and processors. Under version 82 it now also covers non-EU entities falling within Article 3(2). A vendor presenting this seal is telling you they are subject to GDPR and have demonstrated compliance through certification. It is useful in procurement, but it is not, by itself, a transfer tool.
The Europrivacy transfer tool
The Opinion 15/2026 version is a separate scheme. It applies to data importers outside the EEA who are not subject to the GDPR. Two conditions apply. The importer must be certified, and it must sign binding and enforceable commitments toward the EU exporter. The certification then works as an Article 46 appropriate safeguard. This is the first time the EDPB has approved any certification scheme in this role.
Five concrete changes when the Europrivacy transfer tool lands
When the Europrivacy transfer tool reaches your procurement file, five updates are needed this quarter. None is structural; together they reset where certification sits in the picture.
- Update the transfer-mechanism inventory. Where the inventory lists SCCs, BCRs, adequacy and “other”, add a row for certification with the scheme name and version. The point is not to convert vendors; it is to record what each one actually relies on.
- Revise the vendor questionnaire. Ask whether the importer holds a certification. Capture the scheme, the scope (the Target of Evaluation), the certification body and the expiry date. Without scope and scheme, the answer is not usable.
- Keep the Transfer Impact Assessment. Certification does not exempt the controller from the TIA. The exporter still has to assess whether third-country law undermines the safeguard. The EDPB has been explicit on this.
- Recheck supplementary measures under Recommendations 01/2020. Certification slots into the appropriate-safeguards layer; it does not absorb the layer beneath it. Technical and organisational measures still have to be evaluated against the destination jurisdiction.
- Update onward-transfer clauses. Require certification continuity from the importer for the contract’s lifetime, with prompt notification of any lapse, revocation or scope change. 22Academy has documented recurring transfer-clause failures that are easy to inherit.
Each change is small. The combined effect lands at the next vendor due diligence review.
The Shein inquiry shows what regulators look at
The Irish DPC’s 5 May 2026 inquiry into Shein Ireland’s EU-to-China transfers is a live illustration, not a conclusion. The DPC issued the decision on 30 April and has not ruled on anything yet. What the inquiry does is signal what the regulator examines: Article 5 principles, Article 13 transparency and Chapter V transfer requirements together. The transfer mechanism is part of the picture, never the whole picture. That should be the working assumption for any procurement file. Provider jurisdiction risk is now a routine procurement question, not an exceptional one.
What the Europrivacy transfer tool does not change
The most common procurement misread is that a certified importer takes the exporter off the hook. It does not. The controller in the EEA remains accountable under Article 5(2). It still has to demonstrate a lawful basis under Article 6 before the transfer question arises. The Chapter V default position is unchanged: the destination must provide protections essentially equivalent to those within the EEA. Data subject rights still apply across the transfer. The Schrems-II equivalence question for contested jurisdictions has not gone away. The Europrivacy transfer tool gives the controller a new safeguard to choose from. It does not redistribute liability.
Start with the decision sheet
A Future Prep decision sheet, Certification as a GDPR Transfer Mechanism, places the seven transfer mechanisms side by side. It carries a procurement checklist and a visual flag where certification still requires a TIA. Use it as the operational companion to this article and refresh your procurement file before the next renewal cycle.
Pick one AI vendor this week. Walk the file against the five changes. The other vendors will be easier once the first is done.
Newsletter
Releted Blogs
LATEST NEWS
AI governance is not a future problem
Regulation is already in effect. Your competitors are already building internal capability. The gap between ‘we are aware of AI’ and ‘we have operational control’ is closing, and it closes faster with a structured framework.
Book a 30-minute discovery call. No obligation. We will assess where your organisation stands and what a realistic starting point looks like.
No sales pressure. No jargon. Just a structured conversation about your organisation's AI readiness.