Skip to Content

Guidelines of the European Data Protection Board

The European Data Protection Board is responsible for the uniform application of the EU's General Data Protection Regulation (EUR-Lex) and the Data Protection Directive (EUR-Lex) applying to police and criminal justice authorities in the European Union.

The European Data Protection Board was established on 25 May 2018. Before the establishment of the European Data Protection Board, the Article 29 Working Party served as the cooperation body for data protection authorities in the EU.

Guidelines of the EDPB

Public consultation on guidelines

There are no ongoing public consultations on guidelines.

Adopted guidelines

Guidelines 9/2022 on personal data breach notification under GDPR (pdf)  ​​​​​​​

Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority (pdf)

Guidelines 07/2022 on certification as a tool for transfers

Guidelines 06/2022 on the practical implementation of amicable settlements (pdf)

Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement (pdf)

Guidelines 04/2022 on the calculation of administrative fines under the GDPR (pdf)

Guidelines 3/2022 on deceptive design patterns in social media platform interfaces: How to recognise and avoid them (pdf)

Guidelines 02/2022 on the application of Article 60 GDPR (pdf)

Guidelines 01/2022 on data subject rights - Right of access

Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)

Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR ​​​​​​​

Guidelines 04/2021 on codes of conduct as tools for transfers (pdf) ​​​​​​​

Guidelines 03/2021 on the application of Article 65(1)(a) GDPR (pdf)

Guidelines 02/2021 on Virtual Voice Assistants (pdf)

Guidelines 01/2021 on Examples regarding Data Breach Notification (pdf)

Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (pdf)

Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive (pdf)

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (pdf)

Guidelines 10/2020 on restrictions under Article 23 GDPR (pdf)

Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679 (pdf)

Guidelines 8/2020 on the targeting of social media users (pdf)

Guidelines 07/2020 on the concepts of controller and processor in the GDPR (pdf)

Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (pdf)

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (pdf)

Guidelines 05/2020 on consent under Regulation 2016/679 (pdf)

Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (pdf)

Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (pdf)

Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (pdf)

Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications (pdf)

Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (pdf)

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (pdf)

Guidelines 3/2019 on processing of personal data through video devices (pdf)

Guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (Art. 6 1 b( (pdf)

Recommendation 01/2019 on the draft list of the European Data Protection Supervisor regarding the processing operations subject to the requirement of a data protection impact assessment (pdf)

Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies (pdf)

Guidelines 4/2018 on the accreditation of certification bodies (pdf)

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (pdf)

Guidelines 2/2018 on derogations of Article 49 (pdf)

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 (pdf)

Guidelines that have gone through a public consultation but not yet adopted

Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive

Guidelines 01/2023 on Article 37 Law Enforcement Directive

Guidelines and recommendations of the Article 29 Working Party

Automated individual decision-making and profiling

Guidelines on Automated Individual Decision-making and Profiling for the Purposes (pdf)

Identifying the lead supervisory authority

Guidelines for identifying a controller or processor’s lead supervisory authority and frequently asked questions (pdf)


Guidelines on Transparency (pdf)


Guidelines on Consent (pdf)

Data portability

Guidelines on the right to data portability (pdf)

Frequently asked questions: Data portability (pdf)

Data Protection Officers

Guidelines on Data Protection Officers (‘DPOs’) and frequently asked questions about DPOs (pdf)

Personal data breaches

Guidelines on Personal Data Breach Notification (pdf)

Impact assessments

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (pdf)

Administrative fines

Guidelines on the application and setting of administrative fines (pdf)

Back to top