Insights European Data Protection Board adopts three sets of guidelines following consultation


Following public consultation, the EDPB has adopted three sets of final version guidelines:

  1. Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR.

These Guidelines clarify the interplay between the territorial scope of the GDPR under Article 3 and the provisions on international transfers in Chapter V. They aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer and to provide a common understanding of the concept of international transfers. Following public consultation, the guidelines have been updated and further clarifications added. Most notably, a clarification has been added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples have been added to clarify aspects of direct collection, as well as the meaning of “the data importer is in a third country”. An annex has also been added with further illustrations of examples.

  1. Guidelines on certification as a tool for transfers

The main purpose of these Guidelines is to provide further clarification on the practical use of this transfer tool. The Guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers. The Guidelines complement Guidelines 1/2018 on certification, which provide more general guidance on certification. Following public consultation, the Guidelines were updated to reflect comments received.

  1. Guidelines on deceptive design patterns in social media platform interfaces.

These Guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe GDPR requirements. The Guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR. Following public consultation, the final version includes updated wording and clarifications to address comments and feedback received. In particular, the title of the Guidelines has been modified and the term “dark pattern” has been replaced by the term “deceptive design patterns”. In addition, clarifications have been added, e.g. on how to integrate the Guidelines in the design thinking process and a second Annex has been added, providing a quick overview of best practices.

To read the EDPB’s press release in full and for links to all the Guidelines, click here.