EDPB publishes three new sets of guidance

In late February 2023, the EDPB published the following new sets of guidance:

Guidelines on the interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR:

The EDPB acknowledges that the GDPR does not define the concept of “a transfer of personal data to a third country or to an international organisation” and has therefore released guidelines to assist with this. The EDPB sets out the following test:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3 (territorial scope of the GDPR) or is an international organisation.

If a transfer meets these criteria, it will need to be either covered by an adequacy decision or appropriate safeguards will need to be adopted. The guidelines stress that even if the criteria are not met, controllers/processors must still have regard to their obligations under GDPR where these apply (e.g. in a situation where an organisation in a third country obtains personal data directly from an individual, no transfer will occur, but it will still be necessary to comply with applicable parts of the GDPR).

Guidelines on certification as a tool for transfers

These guidelines supplement the existing guidelines on certification.

Part one

The guidance identifies two standards which must be met. The requirement that a transfer must comply with Chapter V of the GDPR (Transfers of personal data to third countries or international organisations) and the other provisions of the GDPR. The guidance also contains details on the roles of the parties to the transfer and the process for obtaining certification.

Part two

This part relates to the requirements for an accreditation body, further explaining some of the requirements applicable.

Part three

Guidance is given on the certification criteria set out in the previous guidelines and adds new criteria to be included in the certification mechanism, relating to the assessment of the third country legislation the general obligations of importers/exporters, rules in relation to onward transfers, redress and enforcement and procedures to be adopted where the third country prevents compliance with the certification commitments.

Part four

This part relates to controllers and processors not subject to GDPR and the steps they should take in relation to providing appropriate safeguards for data transferred to a third country and include a “warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing…. prevent it from fulfilling its commitments under the certification”.

Guidelines on deceptive design patterns in social media platform interfaces:

The guidelines cover how to assess and avoid “deceptive patterns” i.e. “interfaces and user journeys on social media that attempt to influence users into making unintended, unwilling and potentially harmful decisions, often toward a decision that is against the users’ best interests and in favour of the social media platforms interests, regarding the processing of their personal data.”

The guidelines identify the following (non-exhaustive) categories of deceptive design patterns:

Overloading – making lots of requests/ providing lots of information/options which can cause confusion

Skipping – these methods cause users to forget/not think about data protection issues

Stirring – these affect the choices a user makes by employing nudge techniques or appealing to users’ emotions

Obstructing – putting obstacles in the way of users trying to become informed about /manage their data

Fickle – inconsistency/lack of clarity making it difficult to understand the purposes of processing and to navigate the data protection control tools

Left in the dark – an interface which is designed to hide information or control tools

The guidance also advises which parts of the GDPR provisions are relevant to assessing deceptive design patterns, provides examples of deceptive design patterns and gives best practice advice in relation to designing user interfaces, along with a checklist for deceptive design pattern categories.

The new sets of guidance can be accessed here.


Don't just take our word for it