GDPR
Image by DreamPixer from Pixabay

List of key documents adopted and published by the European Data Protection Board

Source: European Data Protection Board (EDPB) website.

We collected the main references of the EDPB’s documentary production as published on their institutional website.

Our aim is to propose a resource that provides an overview of the main measures issued by the EDPB in order to facilitate privacy professionals and people dealing with data protection and privacy in their work and study activities.

However, the page is continually being updated.

Stay tuned!

After the table containing the list of Guidelines, you can find all the key documents adopted and published by the EDPB, ordered by year.


Latest documents published bt the EDPB (update 12/1/2023) - Binding Decisions:

In the table, the dates in bold refer to the latest documents.


Table of the EDPB Guidelines ordered by year


YearG. Nr.TopicAdoptedversionGDPR
2022Guidelines 9/2022on personal data breach notification under GDPR10/10/20221.0-PCR87-4(12)-32-33-34
2022Guidelines 8/2022on identifying a controller or processor’s lead supervisory authority10/10/20221.0-PCR36-4(16)-4(23)-56
2022Guidelines 07/2022on certification as a tool for transfers14/6/20221.046(2)(f)
2022Guidelines 06/2022on the practical implementation of amicable settlements12/5/20222.0R131
2022Guidelines 05/2022on the use of facial recognition technology in the area of law enforcement12/5/20221.0-PC60
2022Guidelines 04/2022on the calculation of administrative fines under the GDPR12/5/20221.0-PC83
2022Guidelines 3/2022on Dark patterns in social media platform interfaces: How to recognise and avoid them14/3/2022PC
2022Guidelines 02/2022on the application of Article 60 GDPR14/3/20221.060
2022Guidelines 01/2022on data subject rights - Right of access18/1/2022PC15/22
2021Guidelines 05/2021on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR18/11/20213-44/50
2021Guidelines 04/2021on codes of conduct as tools for transfers22/2/20222.0
2021Guidelines 03/2021on the application of Article 65(1)(a) GDPR13/4/202165(1)(a)
2021Guidelines 02/2021on Virtual Voice Assistants7/7/20212.0
2021Guidelines 01/2021on Examples regarding Data Breach Notification14/12/20212.04-33-34
2020Guidelines 10/2020on restrictions under Article 23 GDPR13/10/20212.023
2020Guidelines 09/2020on relevant and reasoned objection under Regulation 2016/6799/3/20212.04-60-65
2020Guidelines 08/2020on the targeting of social media users2/9/20201.0
2020Guidelines 07/2020on the concepts of controller and processor in the GDPR2/9/20201.04-24-28-29
2020Guidelines 06/2020on the interplay of the Second Payment Services Directive and the GDPR15/12/20202.0
2020Guidelines 05/2020on consent under Regulation 2016/6794/5/20201.04-6-7-8
2020Guidelines 04/2020on the use of location data and contact tracing tools in the context of the COVID-19 outbreak21/4/2020
2020Guidelines 03/2020on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak21/4/2020
2020Guidelines 02/2020on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies15/12/20202.046
2020Guidelines 01/2020on processing personal data in the context of connected vehicles and mobility related applications28/1/20201.0
2019Guidelines 05/2019on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)7/7/20202.017
2019Guidelines 04/2019on Article 25 Data Protection by Design and by Default20/10/20202.025
2019Guidelines 03/2019on processing of personal data through video devices29/1/20202.0
2019Guidelines 02/2019on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects8/10/20192.06
2019Guidelines 01/2019on Codes of Conduct and Monitoring Bodies under Regulation 2016/6794/6/20192.040-41
2018Guidelines 04/2018on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)4/6/20193.043
2018Guidelines 03/2018on the territorial scope of the GDPR (Article 3)16/11/20183
2018Guidelines 02/2018on derogations of Article 49 under Regulation 2016/67925/5/201849
2018Guidelines 01/2018on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/67925/5/201842-43



Guidelines


2022


  1. Guidelines 9/2022 on personal data breach notification under GDPR - Adopted on 10/10/2022 (v. 1.0) - Pub. 18/10/2022 - PC (comments by 29th November 2022 at the latest);
  2. Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority - Adopted on 10/10/2022 (v. 1.0) - Pub. 21/10/2022 - PC (comments by 2nd December 2022 at the latest);
  3. Guidelines 07/2022 on certification as a tool for transfers - Adopted on 14/6/2022 (v. 1.0) - Pub. 30/06/2022 - PC (comments by 30th September 2022 at the latest);
  4. Guidelines 06/2022 on the practical implementation of amicable settlements - Adopted on 12/5/2022 (v. 2.0);
  5. Guidelines 5/2022 on the use of facial recognition technology in the area of law enforcement - Adopted on 12/5/2022 - PC (comments by June 27th 2022);
  6. Guidelines 4/2022 on the calculation of administrative fines under the GDPR - Adopted on 12/5/2022 - PC (comments by June 27th 2022);
  7. Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them - Adopted on 14/3/2022 - PC (comments by May 2nd 2022);
  8. Guidelines 02/2022 on the application of Article 60 GDPR - Adopted on 14/03/2022 (v.1.0);
  9. Guidelines 01/2022 on data subject rights - Right of access - Adopted on 18/1/2022 - PC (comments by March 11th 2022);

2021


  1. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR - Adopted on 18/11/2021 - PC (19/11/2021 - 31/1/2021);
  2. Guidelines 04/2021 on codes of conduct as tools for transfers - Adopted on 22/02/2022 (v.2.0);
  3. Guidelines 03/2021 on the application of Article 65(1)(a) GDPR - Adopted on 13/4/2021 - PC (16/4/2021 - 28/5/2021);
  4. Guidelines 02/2021 on virtual voice assistants - Adopted on 7/7/2021 (v.2.0);
  5. Guidelines 01/2021 on Examples regarding Data Breach Notification - Adopted on 14/12/2021 (v.2.0);

2020


  1. Guidelines 10/2020 on restrictions under Article 23 GDPR - Adopted on 13/10/2021 (v.2.0);
  2. Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679 - Adopted on 9/3/2021 (v.2.0);
  3. Guidelines 8/2020 on the targeting of social media users - Adopted on 13/4/2021 (v.2.0);
  4. Guidelines 07/2020 on the concepts of controller and processor in the GDPR - Adopted on 7/7/2021 (v.2.0);
  5. Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR - Adopted on 15/12/2020 (v.2);
  6. Guidelines 05/2020 on consent under Regulation 2016/679 - Adopted on 4/5/2020 (v.1.0);
  7. Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak - Adopted on 21/4/2020;
  8. Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak - Adopted on 21/4/2020
  9. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies Adopted on 15/12/2020 (v.2);
  10. Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications - Adopted on 28/1/2020 (v.1) - PC (7/2/2020 - 4/5/2020).

2019


  1. Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) - Adopted on 7/7/2020 (v.2.0);
  2. Guidelines 4/2019 on Article 25 Data Protection by Design and by Default - Adopted on 20/10/2020 (v.2.0);
  3. Guidelines 3/2019 on processing of personal data through video devices - Adopted on 29/1/2020 (v.2.0);
  4. Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects - Adopted on 8/10/2019 (v.2.0);
  5. Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - Adopted on 4/6/2019 (v.2.0).

2018


  1. Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) - Annex 1 - Adopted on 4/12/2018 - PC (14/12/2018 - 1/2/2019).
  2. Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Adopted on 16/11/2018 - PC (23/11/2018 - 18/1/2019);
  3. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 - Adopted on 25/5/2018;
  4. Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 - Adopted on 25/5/2018 - PC (30/5/2018 - 12/7/2018).



Decisions


2022


EDPB Binding Decisions

  1. Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Instagram service (Art. 65 GDPR) - Adopted on 5/12/2022
  2. Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR) - Adopted on 5/12/2022
  3. Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR - Adopeted on 28/7/2022

EDPB Decisions

  1. Decision 01/2022 on the dispute arisen on the draft decision of the French Supervisory Authority regarding Accor SA under Article 65(1)(a) GDPR - Adopted on 15/6/2022

2022


EDPB Binding Decisions

  1. Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR - Adopted on 28/7/2021
  2. Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited - Adopted on 12/7/2021

2022


EDPB Decisions

  1. Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR - Adopted on 9/11/2020



Recommendations


2022

  1. Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) - Adopted on 14/11/2022

2021


  1. Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions - Adopted on 19/5/2021;
  2. Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive - Adopted on 2/2/2021.

2020


  1. Recommendations 02/2020 on the European Essential Guarantees for surveillance measures - Adopted on 10/11/2020;
  2. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data - Adopted on 18/6/2021 (v.2.0);
  3. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data - Adopted on 10/11/2020 - PC (11/11/202 - 21/12/2020).

2019


  1. Recommendation 01/2019 on the draft list of the European Data Protection Supervisor regarding the processing operations subject to the requirement of a data protection impact assessment (Article 39.4 of Regulation (EU) 2018/1725) - Adopted on 10/7/2019.



Best Practice


No document.




Opinions


2022


EDPB-EDPS Joint Opinions

  1. EDPB-EDPS Joint Opinion 04/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse - Adopted on 28/7/2022;
  2. EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space - Adopted on 12/7/2022;
  3. EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) - Adopted on 4/5/2022;
  4. EDPB-EDPS Joint Opinion 1/2022 on the extension of Covid-19 certificate Regulation - Adopted on 14/3/2022

EDPB Opinions

  1. Opinion 31/2022 on the draft decision of the Slovak Supervisory Authority regarding the Processor Binding Corporate Rules of Piano Group - Adopted on 28/11/2022
  2. Opinion 30/2022 on the draft decision of the Slovak Supervisory Authority regarding the Controller Binding Corporate Rules of Piano Group - Adopted on 28/11/2022
  3. Opinion 29/2022 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of the DSV Group - Adopted on 18/11/2022
  4. Opinion 28/2022 on the Europrivacy criteria of certification regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 (GDPR) - Adopted on 10/10/2022;
  5. Opinion 27/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of LEYTON Group - Adopted on 7/10/2022;
  6. Opinion 26/2022 on the draft decision of the Data Protection Authority of Bavaria for the Private Sector regarding the Controller Binding Corporate Rules of the Munich Re Reinsurance Group - Adopted on 30/9/2022;
  7. Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe ) certification criteria for the certification of processing operations by processors - Adopted on 13/9/2022;
  8. Opinion 24/2022 on the draft decision of the Swedish Supervisory Authority regarding the Processor Binding Corporate Rules of the Samres Group - Adopted on 7/9/2022;
  9. Opinion 23/2022 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of the Samres Group - Adopted on 7/9/2022;
  10. Opinion 22/2022 on the draft decision of the Liechtenstein Supervisory Authority regarding the Controller Binding Corporate Rules of Hilti Group - Adopted on 7/9/2022;
  11. Opinion 21/2022 on the draft decision of the Irish Supervisory Authority regarding the Processor Binding Corporate Rules of the Ellucian Group - Adopted on 26/8/2022;
  12. Opinion 20/2022 on the draft decision of the Irish Supervisory Authority regarding the Controller Binding Corporate Rules of the Ellucian Group - Adopted on 26/8/2022;
  13. Opinion 19/2022 on the draft decision of the Baden- Württemberg (Germany) Supervisory Authority regarding the Controller Binding Corporate Rules of the Mercedes- Benz Group - Adopted on 26/8/2022;
  14. Opinion 18/2022 on the draft decision of the Baden- Württemberg (Germany) Supervisory Authority regarding the Controller Binding Corporate Rules of the Daimler Truck Group - Adopted on 26/8/2022;
  15. Opinion 17/2022 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of the ANTOLIN Group - Adopted on 1/8/2022;
  16. Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 4/7/2022;
  17. Opinion 15/2022 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 4/7/2022;
  18. Opinion 14/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 4/7/2022;
  19. Opinion 13/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 4/7/2022;
  20. Opinion 12/2022 on the draft decision of the competent supervisory authority of France regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 4/7/2022;
  21. Opinion 11/2022 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 4/7/2022;
  22. Opinion 09/2022 on the draft decision of the Danish Supervisory Authority regarding the Processor Binding Corporate Rules of Bioclinica Group - Adopted on 4/5/2022;
  23. Opinion 08/2022 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Bioclinica Group - Adopted on 4/5/2022;
  24. Opinion 07/2022 on the draft decision of the Hungarian Supervisory Authority regarding the Controller Binding Corporate Rules of MOL Group - Adopted on 19/4/2022;
  25. Opinion 06/2022 on the draft decision of the Irish Supervisory Authority regarding the Controller Binding Corporate Rules of Groupon International Limited - Adopted on 19/4/2022;
  26. Opinion 05/2022 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of the Lundbeck Group - Adopted on 19/4/2022;
  27. Opinion 04/2022 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Norican Group - Adopted on 18/3/2022;
  28. Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group - Adopted on 7/2/2022;
  29. Opinion 02/2022 on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules of the WEBHELP Group - Adopted on 7/2/2022;
  30. Opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR – CARPA certification criteria - Adopted on 1/2/2022;

2021


EDPB-EDPS Joint Opinions

  1. EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) - Adopted on 18/6/2021;
  2. EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery - Adopted on 8/4/2021 (v.1.1);
  3. EDPB-EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act) - Adopted on 9/6/2021 (v.1.1);
  4. EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries - Adopted on 14/1/2021;
  5. EDPB-EDPS Joint Opinion 1/2021 on standard contractual clauses between controllers and processors - Adopted on 14/1/2021;

EDPB Opinions

  1. Opinion 39/2021 on whether Article 58(2)(g) GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of personal data, in a situation where such request was not submitted by the data subject - Adopted on 14/12/2021;
  2. Opinion 38/2021 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 20/11/2021;
  3. Opinion 37/2021 on the draft decision of the competent supervisory authority of Malta regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 30/11/2021;
  4. Opinion 36/2021 on the draft decision of the competent supervisory authority of Norway regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 30/11/2021;
  5. Opinion 35/2021 on the draft decision of the competent supervisory authority of Belgium regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 30/11/2021;
  6. Opinion 34/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Otis - Adopted on 26/10/2021;
  7. Opinion 33/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Carrier - Adopted on 26/10/2021;
  8. Opinion 32/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the Republic of Korea - Adopted on 24/9/2021;
  9. Opinion 31/2021 on the draft decision of the Spanish Supervisory Authority regarding the Processor Binding Corporate Rules of the COLT Group - Adopted on 2/8/2021;
  10. Opinion 30/2021 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of the COLT Group - Adopted on 2/8/2021;
  11. Opinion 29/2021 on the draft decision of the Belgian Supervisory Authority regarding the Processor Binding Corporate Rules of Oregon Tool, Inc (Formerly “Blount”) - Adopted on 2/8/2021;
  12. Opinion 28/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Oregon Tool, Inc (formerly “Blount”) - Adopted on 2/8/2021;
  13. Opinion 27/2021 on the draft decision of the Supervisory Authority of North Rhine-Westphalia (Germany) regarding the Processor Binding Corporate Rules of the Internet Initiative Japan Group - Adopted on 2/8/2021;
  14. Opinion 26/2021 on the draft decision of the Supervisory Authority of North Rhine-Westphalia (Germany) regarding the Controller Binding Corporate Rules of the Internet Initiative Japan Group - Adopted on 2/8/2021;
  15. Opinion 25/2021 on the draft decision of the competent supervisory authority of Lithuania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 20/7/2021;
  16. Opinion 24/2021 on the draft decision of the competent supervisory authority of Slovakia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 20/7/2021;
  17. Opinion 23/2021 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 20/7/2021;
  18. Opinion 22/2021 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the CGI Group - Adopted on 1/7/2021;
  19. Opinion 21/2021 on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules of the CGI Group - Adopted on 1/7/2021;
  20. Opinion 20/2021 on Tobacco Traceability System - Adopted on 18/6/2021;
  21. Opinion 19/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 1/6/2021;
  22. Opinion 18/2021 on the draft Standard Contractual Clauses submitted by the LT SA (Article 28(8) GDPR) - Adopted on 19/5/2021;
  23. Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE) - Adopted on 19/5/2021;
  24. Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe - Adopted on 19/5/2021;
  25. Opinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom - Adopted on 13/4/2021;
  26. Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom - Adopted on 13/4/2021;
  27. Opinion 13/2021 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/3/2021;
  28. Opinion 12/2021 on the draft decision of the competent supervisory authority of Portugal regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/3/2021;
  29. Opinion 11/2021 on the draft decision of the competent supervisory authority of Norway regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/3/2021;
  30. Opinion 10/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/3/2021;
  31. Opinion 09/2021 on the draft decision of the Baden- Wurttemberg Supervisory Authority regarding the Controller Binding Corporate Rules of Luxoft Group - Adopted on 16/2/2021;
  32. Opinion 08/2021 on the draft decision of the Baden- Wurttemberg Supervisory Authority regarding the Processor Binding Corporate Rules of Luxoft Group - Adopted on 16/2/2021;
  33. Opinion 07/2021 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Kumon Group - Adopted on 16/2/2021;
  34. Opinion 06/2021 on the draft decision of the Spanish Supervisory Authority regarding the Processor Binding Corporate Rules of Kumon Group - Adopted on 16/2/2021;
  35. Opinion 05/2021 on the draft Administrative Arrangement for the transfer of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB) - Adopted on 2/2/2021;
  36. Opinion 04/2021 on the draft decision of the Belgian Supervisory Authority regarding the Processor Binding Corporate Rules of BDO - Adopted on 22/1/2021;
  37. Opinion 03/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of BDO - Adopted on 22/1/2021;
  38. Opinion 02/2021 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Elanders Group - Adopted on 22/1/2021;
  39. Opinion 01/2021 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Saxo Bank Group - Adopted on 22/1/2021.

2020


EDPB Opinions

  1. Opinion 32/2020 on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix - Adopted on 15/12/2020;
  2. Opinion 31/2020 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 7/12/2020;
  3. Opinion 30/2020 on the draft decision of the competent supervisory authority of Austria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 7/12/2020;
  4. Opinion 29/2020 on the draft decision of the Lower Saxony Supervisory Authority regarding the Controller Binding Corporate Rules of Novelis Group - Adopted on 8/12/2020;
  5. Opinion 28/2020 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Iberdrola Group - Adopted on 8/12/2020;
  6. Opinion 27/2020 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Coloplast Group - Adopted on 8/12/2020;
  7. Opinion 26/2020 on the draft decision of the competent supervisory authority of Denmark regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 7/12/2020;
  8. Opinion 25/2020 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Tetra Pak - Adopted on 31/7/2020;
  9. Opinion 24/2020 on the draft decision of the Norwegian Supervisory Authority regarding the Controller Binding Corporate Rules of Jotun - Adopted on 31/7/2020;
  10. Opinion 23/2020 on the draft decision of the competent supervisory authority of Italy regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  11. Opinion 22/2020 on the draft decision of the competent supervisory authority of Greece regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  12. Opinion 21/2020 on the draft decision of the competent supervisory authority of the Netherlands regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  13. Opinion 20/2020 on the draft decision of the competent supervisory authority of Greece regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  14. Opinion 19/2020 on the draft decision of the competent supervisory authority of Denmark regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  15. Opinion 18/2020 on the draft decision of the competent supervisory authority of the Netherlands regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  16. Opinion 17/2020 on the draft Standard Contractual Clauses submitted by the SI SA (Article 28(8) GDPR) - Adopted on 19/5/2020;
  17. Opinion 16/2020 on the draft decision of the competent supervisory authority of the Czech Republic regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  18. Opinion 15/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  19. Opinion 14/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  20. Opinion 13/2020 on the draft decision of the competent supervisory authority of Italy regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  21. Opinion 12/2020 on the draft decision of the competent supervisory authority of Finland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  22. Opinion 11/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  23. Opinion 10/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  24. Opinion 9/2020 on the draft decision of the Irish Supervisory Authority regarding the Processor Binding Corporate Rules of Reinsurance Group of America Adopted on 14/4/2020;
  25. Opinion 8/2020 on the draft decision of the Irish Supervisory Authority regarding the Controller Binding Corporate Rules of Reinsurance Group of America - Adopted on 14/4/2020;
  26. Opinion 7/2020 on the draft list of the competent supervisory authority of France regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 22/4/2020;
  27. Opinion 6/2020 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Fujikura Automotive Europe Group (FAE Group) - Adopted on 29/1/2020;
  28. Opinion 5/2020 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 GDPR - Adopted on 29/1/2020;
  29. Opinion 4/2020 on the draft decision of the competent supervisory authority of the United Kingdom regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 GDPR - Adopted on 29/1/2020;
  30. Opinion 3/2020 on the France data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;
  31. Opinion 2/2020 on the Belgium data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;
  32. 33.Opinion 1/2020 on the Spanish data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;

2019


EDPB-EDPS Joint Opinions

  1. EDPB-EDPS Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI) - Adopted on 12/7/2019;

EDPB Opinions

  1. Opinion 16/2019 on the draft decision of the Belgian Supervisory Authority regarding the Binding Corporate Rules of ExxonMobil Corporation - Adopted on 12/11/2019.
  2. Opinion 15/2019 on the draft decision of the competent supervisory authority of the United Kingdom regarding the Binding Corporate Rules of Equinix Inc. - Adopted on 8/10/2019;
  3. Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) - Adopted on 9/7/2019;
  4. Opinion 13/2019 on the draft list of the competent supervisory authority of France regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  5. Opinion 12/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  6. Opinion 11/2019 on the draft list of the competent supervisory authority of the Czech Republic regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  7. Opinion 10/2019 on the draft list of the competent supervisory authority of Cyprus regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35(4) GDPR) - Adopted on 9/7/2019;
  8. Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 9/7/2019;
  9. Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment - Adopted on 9/7/2019;
  10. Opinion 7/2019 on the draft list of the competent supervisory authority of Iceland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 12/3/2019;
  11. Opinion 6/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 12/3/2019;
  12. Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities - Adopted on 12/3/2019;
  13. Opinion 4/2019 on the draft AA between EEA and non-EEA Financial Supervisory Authorities - Adopted on 12/2/2019;
  14. Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) - Adopted on 23/1/2019;
  15. Opinion 2/2019 on the draft list of the competent supervisory authority of Norway regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 23/1/2019;
  16. Opinion 01/2019 on the draft list of the competent supervisory authority of the Principality of Liechtenstein regarding the processing operations subject to the requirement of a data protection impact assessment (Article 17.4 GDPR) - Adopted on 23/1/2019.

2018


EDPB Opinions

  1. Opinion 28/2018 regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan - Adopted on 5/12/2018;
  2. Opinion 27/2018 on the draft list of the competent supervisory authority of Slovenia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  3. Opinion 26/2018 on the draft list of the competent supervisory authority of Luxembourg regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  4. Opinion 25/2018 on the draft list of the competent supervisory authority of Croatia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  5. Opinion 24/2018 on the draft list of the competent supervisory authority of Denmark regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  6. Opinion 23/2018 on Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters (Art. 70.1.b) - Adopted on 23/9/2018;
  7. Opinion 22/2018 on the draft list of the competent supervisory authority of the United Kingdom regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  8. Opinion 21/2018 on the draft list of the competent supervisory authority of Slovakia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  9. Opinion 20/2018 on the draft list of the competent supervisory authority of Sweden regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  10. Opinion 19/2018 on the draft list of the competent supervisory authority of Romania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  11. Opinion 18/2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  12. Opinion 17/2018 on the draft list of the competent supervisory authority of Poland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  13. Opinion 16/2018 on the draft list of the competent supervisory authority of the Netherlands regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  14. Opinion 15/2018 on the draft list of the competent supervisory authority of Malta regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  15. Opinion 14/2018 on the draft list of the competent supervisory authority of Latvia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  16. Opinion 13/2018 on the draft list of the competent supervisory authority of Lithuania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  17. Opinion 12/2018 on the draft list of the competent supervisory authority of Italy regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  18. Opinion 11/2018 on the draft list of the competent supervisory authority of Ireland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  19. Opinion 10/2018 on the draft list of the competent supervisory authority of Hungary regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  20. Opinion 9/2018 on the draft list of the competent supervisory authority of France regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  21. Opinion 8/2018 on the draft list of the competent supervisory authority of Finland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  22. Opinion 7/2018 on the draft list of the competent supervisory authority of Greece regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  23. Opinion 6/2018 on the draft list of the competent supervisory authority of Estonia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  24. Opinion 5/2018 on the draft list of the competent supervisory authorities of Germany regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  25. Opinion 4/2018 on the draft list of the competent supervisory authority of Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  26. Opinion 3/2018 on the draft list of the competent supervisory authority of Bulgaria regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  27. Opinion 2/2018 on the draft list of the competent supervisory authority of Belgium regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  28. Opinion 1/2018 on the draft list of the competent supervisory authority of Austria regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018.



Endorsed WP29 Guidelines


  1. Endorsement of GDPR WP29 guidelines by the EDPB
  2. Guidelines 05/2020 on consent under Regulation 2016/679 - Adopted on 4/5/2020
  3. Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) - Adopted on 29 November 2017 - As last Revised and Adopted on 11 April 2018
  4. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) - Adopted on 3 October 2017 - As last Revised and Adopted on 6 February 2018
  5. Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) - Adopted on 3 October 2017 - As last Revised and Adopted on 6 February 2018
  6. Guidelines on the right to “data portability” (wp242rev.01) - Adopted on 13 December 2016 - As last Revised and adopted on 5 April 2017
  7. Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01) - Adopted on 4 April 2017 - As last Revised and Adopted on 4 October 2017
  8. Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01) - Adopted on 13 December 2016 - As last Revised and Adopted on 5 April 2017
  9. Guidelines on the Lead Supervisory Authority (wp244rev.01) - Adopted on 13 December 2016 - As last Revised and Adopted on 5 April 2017
  10. Position Paper related to article 30(5)
  11. Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01) - Adopted on 11 April 2018
  12. Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data - Adopted on 11 April 2018
  13. Recommendation on the approval of the Processor Binding Corporate Rules form (wp265) - Adopted on 11 April 2018
  14. Working Document on Binding Corporate Rules for Controllers (wp256rev.01) - Adopted on 28 November 2017 - As last Revised and Adopted on 6 February 2018
  15. Working Document on Binding Corporate Rules for Processors (wp257rev.01) - Adopted on 28 November 2017 - As last Revised and Adopted on 6 February 2018
  16. Working document on Adequacy Referential (wp254rev.01) - Adopted on 28 November 2017 - As last Revised and Adopted on 6 February 2018
  17. Guidelines on the application and setting of administrative fines (wp253). Now including available language versions. - Adopted on 3 October 2017


Stay tuned!