The European Data Protection Board (EDPB) published three finalised sets of guidelines on 24 February 2023, following public consultation.
The guidelines cover:
- The interplay between the territorial scope of the EU GDPR (GDPR) and its provisions on international transfers
- Certification as a tool for data transfers
- Deceptive design patterns in social media interfaces
Territorial scope and international transfers
These guidelines clarify the interplay between the application of Article 3 of GDPR’s "territorial scope" and the provisions on international transfers in Chapter V. The GDPR does not provide a legal definition of a “transfer of personal data to a third country or to an international organisation”, so the EDPB provides three cumulative criteria for a processing operation to qualify as a transfer. If a transfer meets the EDPB’s criteria, Chapter V of the GDPR should be applied.
The three criteria are:
- A controller or a processor (exporter) are subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (importer).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
The guidelines assist controllers and processors in identifying when a processing operation constitutes an international transfer. Amongst other clarifications, the EDPB provides further information and examples of the responsibilities of controllers and processors with respect to different processing operations.
For example, an individual, Maria lives in Italy and books a hotel room in New York using an online EEA travel agent. Maria’s personal data is collected by the EEA travel agent in order to book her hotel room, and is sent to the hotel. The New York hotel is a separate data controller. Therefore, while transferring Maria’s personal data to the third country hotel, the EEA travel agent carries out a transfer of personal data and Chapter V GDPR applies.
Certification as a tool for transfer
Certification refers to a scheme issued to an organisation to certify and demonstrate compliance of data processing operations with the GDPR.
Certifications can be used by organisations to transfer personal data to third countries under the GDPR where there is no adequacy agreement and offer an alternative to standard contractual clauses. The EDPB issued guidelines on the practical use of this tool, which are aimed at complementing the existing guidelines 1/2018 on certification.
Deceptive design patterns in social media platform interfaces
These guidelines provide practical recommendations to designers and users of social media platforms to avoid deceptive "dark patterns" that breach the GDPR. Dark patterns aim to influence user behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.
In the guidelines, the EDPB provide advice on the guidelines and how they should be used in the design planning process, including an annex with an overview of best practices.
More information on the three guidelines can be found here: https://edpb.europa.eu/news/news/2023/edpb-publishes-three-guidelines-following-public-consultation_en
Beverley Whittaker
Sinead Hughes