The European Data Protection Board ('EDPB') issued, on 15 August 2020, its opinions on the draft decisions of the data protection authorities ('DPAs') of Italy, Greece, and the Netherlands regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), its opinions on the draft decisions of the DPAs of Greece, Denmark, and the Netherlands regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 of the GDPR, as well as its opinions on the draft decision of the Swedish and Norwegian DPAs regarding the controller Binding Corporate Rules ('BCRs') of Tetra Pak Group and Jotun Group respectively. In particular, and in relation to the opinions on the draft decisions of the Swedish DPA ('Datainspektionen') and of the Norwegian DPA ('Datatilsynet') regarding the controller BCRs of Tetra Pak and Jotun, the EDPB concludes that both the draft decisions may be adopted as they are, since they contain appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data will be transferred to and processed by the group members based in third countries.

You can read the opinions on the draft decisions of the DPAs of Italy, Greece, and the Netherlands regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 of the GDPR here, here, and here respectively, the opinions on the draft decisions of the DPAs of Greece, Denmark, and the Netherlands regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to Article 41 of the GDPR here, here and here respectively, and the opinions on the draft decision of the Swedish and Norwegian DPAs regarding the controller BCRs of Tetra Pak and Jotun here and here, respectively.