European Data Protection Board (Article 29 Working Party) by theme

As mentioned in Articles 63 to 76 and Recitals (135) to (140) of the GDPR, the European Data Protection Board (EDPB) [LINK] is the EU body in charge of the application of the General Data Protection Regulation (GDPR) as of 25 May 2018. It's made up of the head of each DPA and of the European Data Protection Supervisor (EDPS) or their representatives. The European Commission takes part in the meetings of the EDPB without voting rights. The secretariat of the EDPB is provided by the EDPS. 

The Article 29 Working Party (Art. 29 WP) was the independent European working party that dealt with issues relating to the protection of privacy and personal data prior to 25 May 2018 (entry into application of the GDPR

Bizoneo follow the clarification offered by the EDPB to ensure it remains the easiest solution to centralise GDPR activity.

Official GDPR text in all EU languages

This is not an EDPB text, but it's the key to all  [LINK]


Tip: To help prepare privacy policies (Article 12,13, 14)

  • 13 April 2018 - Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) [LINK]

Personal data

Tip: Personal Data is different to PII (personally identifiable information). Article 4 of GDPR reminder: 'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • 20 June 2007 - It's an old opinion on the concept of personal data, but it can help the comprehension - WP 136 [LINK]

Personal data at work

Personal Data at work is a major piece. Employers need to tell staff how their personal data is handled.

  • 23 June 2017 - Opinion 2/2017 on data processing at work - wp249 [LINK]


Portability is linked to transparency since it's one of the data-subject rights under GDPR

  • 27 October 2018 - Guidelines on the right to "data portability" (wp242rev.01) [LINK]


Tip: remember that consent is only one of the 6 lawful bases of processing.

  • 16 April 2018 Guidelines on Consent under Regulation 2016/679 (wp259rev.01) [LINK]

Cookie Consent

Note: cookie consent is e-Privacy rather than GDPR.

  • 2 October 2013 Working Document providing guidance on obtaining consent for cookies (WP 208) [LINK to PDF]
  • 7 June 2012 - Opinion 04/2012 on Cookie Consent Exemption [LINK to PDF]
    This one goes in length explaining cookies

Breach notification

Tip: To help prepare breach notifications (Article 33)

  • 6 February 2018 - Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) [LINK]


  • 13 Febuary 2018 - Guidelines on the application and setting of administrative fines (wp253). [LINK]

Automated decision-making and Profiling

  • 13 February 2018 - Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)  [LINK]

Data Protection Impact Assessment (DPIA)

  • 13 October 2018 - Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01) [LINK]

Data Protection Officers

  • 30 Oct 2017 - Guidelines on Data Protection Officers ('DPOs') (wp243rev.01) [LINK}


Tip: Use anonymisation with care, as data may not be as anonymous as it seems.

  • 10 April 2014 - Opinion 05/2014 on Anonymisation Techniques [LINK to PDF]

Export personal data outside the EEA


  • Not an Article 29 WP, this is the main Commission's reference on data transfers outside the EEA [LINK]

Binding corporate rules

Binding corporate rules are internal rules for data transfers within multinational companies.

  • 17 May 2018 - List of companies for which the EU BCR cooperation procedure is closed [LINK]
  • 19 April 2018 - Recommendation on the approval of the Controller Binding Corporate Rules form (wp264) [LINK]
  • 19 April 2018 - Recommendation on the approval of the Processor Binding Corporate Rules form (wp265) [LINK]
  • 29 November 2017 - Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (wp257) [LINK]
  • 29 November 2017 - Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated)  (wp256) [LINK]

Privacy Shield

The EU-US Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. 

Note: Privacy shield is based on the Directive 95/46/EC (eg pre-GDPR). Privacy Shield is not up to the standard of GDPR.

  • 28 November 2017 - EU-U.S. Privacy Shield - First annual Joint Review (WP 255) [LINK]
  • 13 April 2016 - Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision [LINK]

Contractual clauses

  • 21 March 2014 - Working document 01/2014 on Draft Ad hoc contractual clauses "EU data processor to non-EU sub-processor" [LINK]