Guidelines of the European Data Protection Board

The European Data Protection Board is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal justice authorities in the European Union.

The European Data Protection Board was established on 25 May 2018. Before the establishment of the European Data Protection Board, the Article 29 Working Party served as the cooperation body for data protection authorities in the EU.

Guidelines of the EDPB

Adopted guidelines

Guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (Art. 6 1 b)

Recommendation 01/2019 on the draft list of the European Data Protection Supervisor regarding the processing operations subject to the requirement of a data protection impact assessment

Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies

Guidelines 4/2018 on the accreditation of certification bodies

Guidelines 2/2018 on derogations of Article 49

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43

Public consultation on guidelines

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default

Comments can be provided on European Data Protection Board's website by January 16th 2020.

Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR

Comments can be provided on European Data Protection Board's website by February 5th 2020.

Guidelines that have gone through a public consultation but not yet adopted

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Guidelines 3/2019 on processing of personal data through video devices


Guidelines and recommendations of the Article 29 Working Party

Automated individual decision-making and profiling

Guidelines on Automated Individual Decision-making and Profiling for the Purposes

Identifying the lead supervisory authority

Guidelines for identifying a controller or processor’s lead supervisory authority and frequently asked questions


Guidelines on Transparency


Guidelines on Consent

Data portability

Guidelines on the right to data portability

Frequently asked questions: Data portability

Data Protection Officers

Guidelines on Data Protection Officers (‘DPOs’) and frequently asked questions about DPOs

Personal data breaches

Guidelines on Personal Data Breach Notification 

Impact assessments

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Administrative fines

Guidelines on the application and setting of administrative fines