Skip to main content
Data Protection / GDPR

European Data Protection Board

The European Data Protection Board (EDPB) is the independent EU body comprising all national supervisory authorities that ensures consistent application of the GDPR across the EEA through guidelines and binding decisions.

The European Data Protection Board (EDPB, German Europaeischer Datenschutzausschuss, EDSA) is an independent body of the European Union with its own legal personality. It is made up of the head of one supervisory authority from each Member State together with the European Data Protection Supervisor; the European Commission participates without voting rights. Established by Art. 68 GDPR, the EDPB is the successor to the former Article 29 Working Party and the central coordinating body for European data protection.

The core task of the EDPB is to ensure the consistent interpretation and application of the GDPR across all Member States. To this end it publishes guidelines, recommendations and best practices on key questions such as consent, third-country transfers, legitimate interest and the calculation of fines. While these documents are not directly legally binding, they significantly shape the administrative practice of national authorities and the standards against which controllers are measured.

Under the consistency mechanism (Art. 63 et seq. GDPR), the EDPB can also adopt legally binding decisions, in particular where supervisory authorities disagree in cross-border cases (dispute resolution under Art. 65 GDPR) or when approving certain instruments such as binding corporate rules. For data protection officers this means that EDPB guidelines serve as a central reference point for a legally sound interpretation of the GDPR and should be taken into account early when designing processing activities, contracts and data transfers.

Legal Basis

Art. 68 to 76 GDPR (in particular Art. 70 tasks, Art. 64 and 65 consistency and dispute-resolution mechanism)

Practical Example

A mid-sized company plans to transfer customer data to a US-based cloud. Before the data protection officer approves the contract, she consults the EDPB recommendations on supplementary measures for third-country transfers as well as the guidelines on the interplay between an adequacy decision and standard contractual clauses. Based on these requirements she documents a transfer impact assessment and demonstrably shows that the level of protection is equivalent to that of the GDPR - thereby also fulfilling her accountability obligation.

FAQ

EDPB guidelines and recommendations are not directly legally binding, but they carry considerable practical weight. Supervisory authorities and courts rely on them, so controllers should treat them as the benchmark for a legally sound interpretation of the GDPR. The EDPB only adopts binding decisions within the consistency and dispute-resolution mechanism.
National supervisory authorities enforce the GDPR within their Member State and are the first point of contact for companies and data subjects. The EDPB brings these authorities together at EU level, ensures consistent interpretation and decides bindingly where authorities disagree in cross-border cases.
Since the GDPR became applicable on 25 May 2018, the EDPB is the successor to the Article 29 Working Party. Unlike its purely advisory predecessor, the EDPB has its own legal personality and can adopt binding decisions within the consistency mechanism.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Supervisory authority Consistency mechanism Third Country Transfer Data Protection Compliance Accountability
Back to Glossary