How does Europrivacy differ from SCCs?

Standard contractual clauses (SCCs) are contractual safeguards you as a controller put in place with your processor. Europrivacy is a certification the processor obtains, demonstrating that their systems and processes meet GDPR transfer requirements. You do not need to set up an additional contract.

How do I check whether my vendor is Europrivacy-certified?

Europrivacy certifications are maintained in a public register at europrivacy.eu. Expect major SaaS providers to pursue Europrivacy certification in 2026-2027 now that the first approval has set a precedent.

Does Europrivacy apply to US SaaS providers?

Yes. Europrivacy is designed for all non-EEA processors, including US providers. While the EU-US Data Privacy Framework (adequacy decision, 2023) provides another route for US transfers, Europrivacy offers an additional option for providers not covered by that framework or who want to offer a more robust safeguard.

Europrivacy: The First GDPR Data Transfer Tool That Goes Beyond SCCs

GDPR, Compliance

6/9/2026

When the Dutch Data Protection Authority (AP) fined Yango 100 million euros in May 2026 for transferring personal data to Russia on the basis of SCCs that were found to be insufficient, a lot of Dutch tech companies asked the same question: are our own vendor contracts actually adequate? It is a fair question. And there is now a new answer: Europrivacy certification. This matters because it is the first time in the eight years since GDPR came into force that a certification scheme has been approved as a transfer mechanism.

What Is Europrivacy Certification?

On 16 April 2026, the EDPB adopted Opinion 15/2026, approving Europrivacy certification as a data transfer mechanism under Articles 42 and 46 GDPR. The possibility for certification to serve this role has existed in the law since 2018, but was never used. Europrivacy is now the first certification that satisfies this legal basis.

Non-EEA data importers, meaning vendors outside the EU, can obtain Europrivacy certification to demonstrate that they provide adequate safeguards for receiving EU personal data. In practice, this means a certified processor carries the transfer safeguard within its own operations, rather than requiring you as the controller to set up a separate contract with each customer.

Why SCCs Are Not Always Sufficient

The Yango (100 million euros) and TikTok (530 million euros) fines both turned on the same finding: SCCs are contractual warranties, but if the country of the data importer has laws that can override those warranties, as is the case in Russia and China, SCCs provide inadequate protection.

The AP has made clear it expects Transfer Impact Assessments (TIAs) for all non-EEA transfers. And those TIAs must be honest. If the law of the receiving country allows authorities to access the data despite the SCC terms, then the SCC does not actually protect the data. That is the core problem.

SCCs place the burden of proof on you as the controller: you must demonstrate that the contractual commitments will hold up in practice. Where that is structurally difficult to show due to local law, you are left holding the risk.

How Europrivacy Works as a Transfer Safeguard

With SCCs, you as the controller set up a contract with your processor. Europrivacy works the other way around: the processor obtains the certification itself. If your vendor is Europrivacy-certified, that certification constitutes the Article 46 transfer safeguard. No additional contract from you is required.

Practical implication: when evaluating vendors, you can now ask "are you Europrivacy-certified?" as a procurement question, the same way you ask about ISO 27001 or whether they can provide a data processing agreement. If the answer is yes, the transfer safeguard is covered. Document the certification in your processing register and the TIA is effectively pre-addressed.

This also shifts responsibility. Under the SCC model, the compliance effort largely falls on you as the customer. Under the Europrivacy model, the vendor has already demonstrated its own compliance. For an SMB using dozens of SaaS tools, that is a meaningful difference in management overhead.

How to Check Whether Your Vendor Is Certified

The Europrivacy certification register is maintained at europrivacy.eu. The first major certifications are expected to appear in 2026 as the EDPB approval creates demand. Large SaaS providers with European customer bases have a strong commercial incentive to get certified, since certification lowers the procurement barrier for European business customers significantly.

What to do in the meantime: continue using SCCs with TIAs for existing vendors. For new vendor evaluations, add the question: "Have you applied for Europrivacy certification, or are you planning to?" The presence of that conversation also tells you how seriously a vendor takes its own privacy compliance.

What to Document in Your Processing Register

For each non-EEA processor, record in your processing register which transfer mechanism applies: an adequacy decision, an SCC, Binding Corporate Rules, or now a Europrivacy certification. If a vendor is Europrivacy-certified, note the certification reference and the date.

This is exactly what the vendor management module in ComplianceHive helps you track. Per vendor you record which transfer basis applies, when it was last reviewed, and when the next review is scheduled. When the AP comes knocking, your documentation is ready without digging through spreadsheets.

ComplianceHive helps you keep your GDPR processing register up to date with all vendor data, including the transfer mechanism that applies to each processor.