Reference - EDPB/WP29 guidance
Reference · EDPB & WP29 guidelines and opinions (must-knows)
The Exam Blueprint repeatedly asks you to know "EDPB guidelines and opinions" on a topic. You don't need to memorise document numbers, but you SHOULD recognise which guidance governs which subject. Article 29 Working Party (WP29) guidance remains valid where it aligns with the GDPR and where the EDPB has endorsed it.
| Topic | Guidance |
|---|---|
| Controller & processor concepts | EDPB Guidelines 07/2020 |
| Sub-processor obligations | EDPB Opinion 22/2024 |
| Territorial scope (Article 3) | EDPB Guidelines 3/2018 |
| Main establishment (Art 4(16)) | EDPB Opinion 04/2024 |
| Consent | EDPB Guidelines 05/2020 |
| Legitimate interests (Art 6(1)(f)) | EDPB Guidelines 1/2024 (and WP29 Opinion 06/2014) |
| Transparency | WP29 Guidelines (wp260) |
| Right of access | EDPB Guidelines 01/2022 |
| Right to be forgotten / search engines | EDPB Guidelines 5/2019 |
| Data portability | WP29 Guidelines (2017) |
| Automated decisions & profiling | WP29 Guidelines (2018) |
| ePrivacy / GDPR interplay | EDPB Opinion 5/2019 |
| Article 5(3) cookies - technical scope | EDPB Guidelines 2/2023; Cookie Banner Taskforce (2023) |
| Video surveillance / CCTV | EDPB Guidelines 3/2019 |
| Facial recognition (law enforcement) | EDPB Guidelines 05/2022 |
| Targeting of social-media users | EDPB Guidelines 8/2020 |
| Dark patterns in social-media interfaces | EDPB Guidelines 03/2022 |
| Article 23 restrictions | EDPB Guidelines 10/2020 |
| Breach notification | EDPB Guidelines 9/2022; examples 01/2021; WP29 (2018) |
| DPIAs | WP29 DPIA Guidelines (2017) |
| Data protection officers | WP29 DPO Guidelines (2017) |
| Transfers post-Schrems II (supplementary measures) | EDPB Recommendations 01/2020 |
| Derogations (Article 49) | EDPB Guidelines 2/2018 |
| Codes of conduct as transfer tools | EDPB Guidelines 04/2021 |
| Certification (Articles 42–43) | EDPB Guidelines 1/2018 |
| Lead supervisory authority | EDPB Guidelines 8/2022 (and WP29) |
| Administrative fines | WP29 Guidelines on Administrative Fines (2017) |
How this is tested
The exam rarely asks for a document number. It asks what the guidance says (e.g., the three cumulative conditions for legitimate interest, or the six dark-pattern categories). Learn the substance; let the number be a label.
Key terms - quick answers
What is “EDPB”?
European Data Protection Board - replaced the Article 29 Working Party on 25 May 2018; issues guidelines, recommendations and binding decisions.
What is “WP29”?
Article 29 Working Party - the EDPB's predecessor; its guidance is still relevant where consistent with the GDPR.