Overview of GDPR guidelines
Here you can find the GDPR guidelines published by the European Data Protection Board (EDPB). These guidelines clarify a number of subjects from the General Data Protection Regulation (GDPR). With this explanation of the GDPR, the EDPB provides organisations with practical guidance on implementing the privacy legislation in their work.
On this page
GDPR obligations and instruments
Restrictions (under Article 23 GDPR)
- Guidelines on restrictions under Article 23 GDPR
- Dutch translation guidelines restrictions under Article 23 GDPR
Certification and accreditation
Certification
- Guidelines on certification and identifying certification criteria
- Dutch translation guidelines certification
Certification as a tool for transfers
- Guidelines on certification as a tool for transfers
- Dutch translation: certificering als doorgifte-instrument
Accreditation
Data protection impact assessment (DPIA)
Data Protection Officers (DPOs)
Codes of conduct
Codes of conduct and supervisory bodies
- Guidelines on codes of conduct and monitoring bodies
- Dutch translation: guidelines gedragscodes en toezichthoudende organen
Codes of conduct as tools for transfers
- Guidelines on codes of conduct as tools for transfers
- Dutch translation: gedragscodes als instrumenten voor doorgifte
Legal bases
Consent
Agreement
- Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
- Dutch translation: guidelines uitvoeren overeenkomst
Data breach notification obligation
Data breach notification obligation
- Guidelines on personal data breach notification under GDPR
This is the latest version of these guidelines. - Guidelines on Personal data breach notification
A new version of these guidelines is available (in English only). - Dutch translation: guidelines meldplicht datalekken
This is the Dutch translation of the old version of the guidelines. A Dutch translation of the latest version is not yet available.
Examples of the data breach notification obligation
- Guidelines on Examples regarding Personal Data Breach Notification
- Dutch translation: guidelines voorbeelden van de meldplicht datalekken
Privacy by design and by default
- Guidelines on data protection by design and by default
- Dutch translation: guidelines privacy by design en default
Transparency
Processing register
Controller and processor
- Guidelines on the concepts of controller and processor in the GDPR
- Dutch translation: guidelines over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
Internet and technology
Camera surveillance
- Guidelines on processing of personal data through video devices
- Dutch translation: guidelines cameratoezicht
Connected cars
Facial recognition
- Guidelines on the use of facial recognition technology in the area of law enforcement
- Dutch translation: guidelines gebruik gezichtsherkenning bij rechtshandhaving
Profiling
- Guidelines on automated decision making and profiling
- Dutch translation: guidelines geautomatiseerde besluitvorming en profilering
Social media
Deceptive design
Targeting of users
- Guidelines on the targeting of social media users
- Dutch translation: guidelines targeting gebruikers sociale media
Voice assistants
- Guidelines on virtual voice assistants
- Dutch translation: guidelines over virtuele spraakassistenten
International data traffic
Lead supervisory authority
International transfers
Exceptions
Certification as a tool for transfers
Codes of conduct as tools for transfers
- Guidelines on codes of conduct as tools for transfers
- Dutch translation: gedragscodes als instrumenten voor doorgifte
Binding corporate rules (BCR)
- Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Article 47 GDPR)
- Working Document on binding Corporate Rules for Processors
Governmental organisations
- Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
- Dutch translation: guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Transfers for law enforcement
PSD2
- Guidelines on the interplay of the Second Payment Services Directive and the GDPR
- Dutch translation: guidelines wisselwerking PSD2 en AVG
Rights of data subjects
Right of access
Right to data portability
Right to be forgotten
- Guidelines on the criteria of the right to be forgotten in the search engines cases under the GDPR (part 1)
- Dutch translation: guidelines recht op vergetelheid
Collaboration between data protection agencies
Fines
Amount of the fine
When can a fine be imposed
- Guidelines on the application and setting of administrative fines
- Dutch translation: guidelines administratieve boetes
Lead supervisory authority
Amicable settlements
- Guidelines on the practical implementation of amicable settlements
- Dutch translation: guidelines praktische uitvoering van minnelijke schikkingen
Relevant and reasoned objection
- Guidelines on relevant and reasoned objection under Regulation 2016/679
- Dutch translation: guidelines relevant en gemotiveerd bezwaar
Territorial scope of the GDPR
- Guidelines on the territorial scope of the GDPR
- Dutch translation: guidelines territoriaal toepassingsgebied AVG
Application of Article 60 GDPR
- Guidelines on the application of Article 60 GDPR
- Dutch translation: guidelines voor de toepassing van artikel 60 AVG
Application of Article 65(1)(a) GDPR
EDPB guidelines in consultation
In most cases, the EDPB first publishes a draft version of the guidelines. This version is open to public consultation during a specified period of time. Interested parties can then voice their opinion and concerns. After this consultation, the EDPB adopts the final version of the guidelines.
Currently these guidelines are open to consultation: