Skip to content

EDPB releases final guidelines on dark patterns, on certification as a transfer tool and on territorial scope and Chapter V GDPR

Finlayson-Brown Jane
Jane Finlayson-Brown



View profile →

Image of Anita Anand
Anita Anand

Senior Associate, aosphere


View profile →

01 March 2023

The European Data Protection Board (the EDPB) published final versions of three sets of guidelines on 24 February 2023, under the GDPR following public consultation last year. The guidelines are summarised below.

Guidelines on the interplay between territorial scope (Article 3) and international transfers (Chapter V)

The GDPR's provisions stipulating its extra-territorial scope and the lack of definition of the concept of 'transfer' in the GDPR have resulted in grey areas in understanding what sort of activities constitute a 'transfer' requiring protection under the international transfer restrictions. The guidelines aim to clarify these issues and contain several examples of specific factual circumstances; these have been expanded and clarified following consultation last year (see Allen & Overy blog for further details, here).

In addition, the EDPB has added a new Annex 4 setting out safeguards to be applied even where there is no transfer, but where the data is processed outside the EU (e.g. where an employee of an EU controller travels abroad and has access to the data of that controller while being in a third country, or in case of direct collection from individuals in the EU). 

Guidelines on certification as a tool for transfers

These guidelines (which supplement the more general Guidelines 1/2018 on certification) provide guidance on: 

  • how certification can be used as a base for transfers; 
  • the accreditation criteria for certification bodies; 
  • the certification criteria to be included in any certification mechanism; and 
  • the elements to be addressed in the binding and enforceable commitments to apply the relevant safeguards which are required when relying on this basis of transfer. 

For details on the consultation version of the guidelines, see Allen & Overy blog here. Finalisation of these guidelines now leaves the door open for certification structures to be put in place by Member States.     

Guidelines on deceptive design patterns in social media platform interfaces

These guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns (also referred to as dark patterns) in social media interfaces that infringe GDPR requirements. The guidelines give concrete examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR. Following public consultation last year, minor clarifications have been made and a further Annex has been added setting out best practices. For details on the consultation version of the guidelines, see aosphere blog here.

Read the press release here (with links to all the guidelines).

This entry was first published by aosphere.

Related expertise