Through a common interpretation by data protection authorities in the EU, these guidelines seek to ensure a consistent application of the GDPR when assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework. In these guidelines, the EDPB sets out and clarifies the criteria for determining the […]
Guidelines
The list is intended to encompass both national and cross-border data processing and reflects feedback received during public consultation. The list has also been approved by the European Data Protection Board (EDPB) where it includes processing operations relating to the provision of goods and services to individuals or the monitoring of their behaviour in several Member States or which […]
This guidance will help you to understand the importance of encryption as an appropriate technical measure to protect the personal data you hold. Whether you are a controller or a processor, encryption is a technique that you can use to protect personal data. The guidance outlines the concept of encryption in the context of the […]
A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures. You also have to take into account additional requirements about the security of […]
The primary aim of these guidelines is to identify overarching criteria that may be relevant to all types of certification mechanisms issued in accordance with Articles 42 and 43 of the GDPR. To this end, the guidelines: explore the rationale for certification as an accountability tool; explain the key concepts of the certification provisions in […]
This document seeks to provide guidance as to the application of Article 49 of the General Data Protection Regulation (GDPR) on derogations in the context of transfers of personal data to third countries.
The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions. This document covers: Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II General provisions on profiling […]
The Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
Note: EDPB has issued updated Guidelines in consent under GDPR. These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR […]
This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.