GDPR Usmernenia



Official guidelines, opinions and recommendations of European data protection supervisory authority (EDPB or Art29WP)


(EN) Article 29 Working Party Guidelines on transparency under Regulation 2016/679
(EN) Adopted on 28 November 2017. As last Revised and Adopted on 10 April 2018. The Guideline describes the meaning of transparency; the elements of transparency under the GDPR (“Concise, transparent, intelligible and easily accessible”; “Clear and plain language”; providing information to children and other vulnerable people; “In writing or by other means”; “..the information may be provided orally”; “Free of charge”); the information to be provided to the data subject – Articles 13 & 14 (“Appropriate measures”; timing for provision of information; changes to Article 13 and Article 14 information; timing of notification of changes to Article 13 and Article 14 information; modalities – format of information provision; layered approach in a digital environment and layered privacy statements/ notices; layered approach in a non-digital environment; “Push” and “pull” notices; other types of “appropriate measures”; information on profiling and automated decision-making; other issues – risks, rules and safeguards); the information related to further processing; visualisation tools (icons; certification mechanisms, seals and marks); the exercise of data subjects’ rights; the exceptions to the obligation to provide information (Article 13 exceptions; Article 14 exceptions); the restrictions on data subject rights; the transparency and data breaches. The Guideline also contains schedule on information that must be provided to a data subject under Article 13 or Article 14.
(EN) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
(EN) Adopted on 12 November 2019. The Guideline stipulates on the application of the establishment criterion — Article 3(1) (“An establishment in the Union”; processing of personal data carried out “in the context of the activities of” an establishment; application of the GDPR to the establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not; application of the establishment criterion to controller and processor); the application of the targeting criterion – Article 3(2) (data subjects in the Union; offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union; monitoring of data subjects’ behaviour; processor not established in the Union; interaction with other GDPR provisions and other legislations); the processing in a place where member state law applies by virtue of public international law; the representative of controllers or processors not established in the union (designation of a representative; exemptions from the designation obligation; establishment in one of the Member States where the data subjects whose personal data are processed; obligations and responsibilities of the representative).
(EN) Guidelines on consent under Regulation 2016/679
(EN) Adopted on 4 May 2020. The Guideline stipulates on the consent in Article 4(11) of the GDPR; the elements of valid consent (free / freely given; imbalance of power; conditionality; granularity; detriment; specific; informed; minimum content requirements for consent to be ‘informed’; how to provide information; unambiguous indication of wishes); obtaining explicit consent; additional conditions for obtaining valid consent (demonstrate consent; withdrawal of consent); interaction between consent and other lawful grounds in Article 6 GDPR; specific areas of concern in the GDPR (information society service; offered directly to a child; age; children’s consent and parental responsibility; scientific research; data subject’s rights); consent obtained under Directive 95/46/EC.
(EN) Guidelines on Data Protection Officers (‘DPOs’)
(EN) Adopted on 13 December 2016. As last Revised and Adopted on 5 April 2017. The Guideline stipulates on the designation of a DPO (mandatory designation; ‘public authority or body’; ‘core activities’; ‘large scale’; ‘regular and systematic monitoring’; special categories of data and data relating to criminal convictions and offences; DPO of the processor; designation of a single DPO for several organisations; accessibility and localisation of the DPO; expertise and skills of the DPO; publication and communication of the DPO’s contact details); the position of the DPO (involvement of the DPO in all issues relating to the protection of personal data; necessary resources; instructions and ‘performing their duties and tasks in an independent manner’; dismissal or penalty for performing DPO tasks; conflict of interests); the tasks of the DPO (monitoring compliance with the GDPR; role of the DPO in a data protection impact assessment; cooperating with the supervisory authority and acting as a contact point; risk-based approach; role of the DPO in record-keeping). The Guideline also contains annex.
(EN) Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

Adopted on 3 October 2017.
The Guideline stipulates on the principles (infringement of the Regulation should lead to the imposition of “equivalent sanctions”; “effective, proportionate and dissuasive” administrative fines; an assessment “in each individual case”; a harmonized approach to administrative fines); and the assessment criteria in Article 83 (2) (the nature, gravity and duration of the infringement; the intentional or negligent character of the infringement; any action taken by the controller or processor to mitigate the damage suffered by data subjects; any relevant previous infringements by the controller or processor; the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; notification of the infringement; compliance with previously ordered measures referred to in Article 58(2); adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; any other aggravating or mitigating factor).

(EN) Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (Version 2.0)
(EN) Adopted on 20 October 2020. The Guideline stipulates on scope; analysis of Article 25 (1) and (2) data protection by Design and by Default (controller’s obligation to implement appropriate technical and organisational measures and necessary safeguards into the processing; designed to implement the data protection principles in an effective manner and protecting data subjects’ rights and freedoms; elements to be taken into account; time aspect; Article 25(2): data protection by default; dimensions of the data minimisation obligation); implementing data protection principles in the processing of personal data using data protection by Design and by Default (transparency; lawfulness; fairness; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability); Article 25(3) certification; the enforcement of Article 25 and consequences. The Guideline also contains recommendations.
(EN) WP29 opinion on data processing at work
(EN) Adopted on 8 June 2017. The Opinion stipulates on the risks; as well as on the scenarios (processing operations during the recruitment process; processing operations resulting from in-employment screening; processing operations resulting from monitoring ICT usage at the workplace; processing operations resulting from monitoring ICT usage outside the workplace; processing operations relating to time and attendance; processing operations using video monitoring systems; processing operations involving vehicles used by employees; processing operations involving disclosure of employee data to third parties; processing operations involving international transfers of HR and other employee data). The Opinion also contains conclusions and recommendations.