What is the European Data Protection Board?

The EDPB is the independent EU body responsible for ensuring consistent application of the GDPR across the European Economic Area. It publishes binding guidelines and resolves cross-border enforcement disputes among national supervisory authorities.

Is EDPB guidance binding?

EDPB guidelines are not statutes but they are binding in the sense that national supervisory authorities and the EDPB itself must take them into account, and courts will use them to interpret GDPR provisions. Departing from EDPB guidance requires strong justification.

Which EDPB document governs personal data breach notification?

EDPB Guidelines 9/2022 on personal data breach notification under Regulation 2016/679, version 2.0 adopted April 2023. The document replaces the earlier Article 29 Working Party guidance.

Does EDPB issue fines?

No. National supervisory authorities issue GDPR fines. The EDPB resolves disputes between DPAs in cross-border cases (the consistency mechanism under Article 65) but does not directly impose penalties.

EDPB - European Data Protection Board

Q: How is EDPB different from national DPAs?

Each EU/EEA member state has a DPA that enforces GDPR within its jurisdiction. The EDPB is composed of the heads of all member-state DPAs and provides guidance, resolves cross-border disputes, and ensures consistency.

The European Data Protection Board (EDPB) is the independent European Union body responsible for ensuring the consistent application of the General Data Protection Regulation (GDPR) across the European Economic Area. EDPB publishes binding guidelines, opinions, and recommendations that supervisory authorities and controllers across the EU must take into account.

Source: edpb.europa.eu. Established by Article 68 of the GDPR.

What the EDPB Does

Publishes guidelines on the interpretation and application of GDPR provisions
Issues binding decisions in cross-border GDPR enforcement disputes
Provides opinions on national supervisory authority decisions affecting multiple member states
Approves codes of conduct and certification mechanisms
Promotes cooperation and consistency among national supervisory authorities

Key EDPB Guidance for Incident Response

EDPB Guidelines 9/2022 on personal data breach notification (final version April 2023) replaces the earlier WP29 guidance and is the authoritative reference for GDPR Article 33 and 34 obligations. The document covers when the 72-hour clock starts, what counts as "becoming aware," when notification to individuals is required, and how to handle breaches across multiple jurisdictions.

EDPB vs National DPAs

Each EU/EEA member state has its own Data Protection Authority (DPA) that enforces GDPR within its jurisdiction. The EDPB is composed of the heads of all member-state DPAs plus the European Data Protection Supervisor. EDPB issues binding guidance; DPAs enforce it. In cross-border cases EDPB acts as a dispute-resolution mechanism under the GDPR consistency procedure.

Track GDPR notification clocks

IR-OS tracks the GDPR 72-hour clock and EDPB guidance triggers for notification to supervisory authorities and data subjects.

Start free

EDPB - European Data Protection Board

What the EDPB Does

Key EDPB Guidance for Incident Response

EDPB vs National DPAs

Related Terms

Track GDPR notification clocks