24 February 2023
Following public consultation, the EDPB has adopted three sets of guidelines in their final version:
- Guidelines on the Interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR: The Guidelines clarify the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V. They aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. Following public consultation, the guidelines were updated and further clarifications were added. Most notably, a clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of direct collection, as well as the meaning of “the data importer is in a third country”. Moreover, an annex was added with further illustrations of the examples included in the guidelines to facilitate understanding.
- Guidelines on certification as a tool for transfers: The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool. The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification. Following public consultation, the Guidelines were updated to reflect comments received.
- Guidelines on deceptive design patterns in social media platform interfaces: The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements. The guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR. Following public consultation, the final version integrates updated wording and further clarifications in order to address comments and feedback received. In particular, the title of the Guidelines has been modified and the term “dark pattern” has been replaced by the term “deceptive design patterns”. In addition, some clarifications were added, for example on how to integrate the present Guidelines in the design thinking process and a second Annex was added, providing a quick overview of all the best practices.