On
February
24,
2023,
following
public
consultation,
the
European
Data
Protection
Board
(EDPB)
published
the
following
three
sets
of
adopted
guidelines:
-
Guidelines
on
the
Interplay
between
the
application
of
Article
3
and
the
provisions
on
international
transfers
as
per
Chapter
V
GDPR
(05/2021)
(final
version); -
Guidelines
on
certification
as
a
tool
for
transfers
(07/2022)
(final
version);
and -
Guidelines
on
deceptive
design
patterns
in
social
media
platform
interfaces
(03/2022)
(final
version).
Guidelines
on
the
Interplay
Between
the
Application
of
Article
3
and
the
Provisions
on
International
Transfers
as
per
Chapter
V
GDPR
Guidelines
05/2021
seek
to
clarify
the
interplay
between
the
territorial
scope
of
the
GDPR,
as
defined
in
Article
3,
and
the
provisions
on
international
transfers
in
Chapter
V.
As
the
EDPB
notes,
the
GDPR
does
not
define
what
constitutes
a
“transfer
of
personal
data
to
a
third
country
or
to
an
international
organization”.
The
EDPB
therefore
identified
the
following
three
criteria
which,
if
all
met,
confirm
that
a
processing
operation
is
an
international
transfer
for
the
purpose
of
Chapter
V:
-
A
controller
or
a
processor
(“exporter”)
is
subject
to
the
GDPR
for
the
given
processing; -
The
exporter
discloses
by
transmission
or
otherwise
makes
personal
data,
subject
to
this
processing,
available
to
another
controller,
joint
controller
or
processor
(“importer”);
and -
The
importer
is
in
a
third
country,
irrespective
of
whether
or
not
this
importer
is
subject
to
the
GDPR
for
the
given
processing
in
accordance
with
Article
3,
or
is
an
international
organization.
Following
public
consultation,
the
original
Guidelines
were
updated
and
clarified
in
certain
respects.
The
most
significant
update
was
regarding
the
responsibilities
of
the
controller
when
the
exporter
is
a
processor.
In
addition,
further
examples
were
included
in
the
adopted
Guidelines
to
provide
better
understanding.
Guidelines
on
Certification
as
a
Tool
for
Transfers
Guidelines
07/2022
provide
guidance
as
to
the
application
of
Article
46(2)(f)
of
the
GDPR
on
transfers
of
personal
data
to
third
countries
or
to
international
organizations
on
the
basis
of
certification.
The
Guidelines
are
composed
of
four
parts,
each
focusing
on
specific
aspects
regarding
certification
as
a
tool
for
transfers,
and
contain
an
annex
which
includes
examples
of
supplementary
measures,
in
line
with
those
listed
in
Recommendations
01/2020,
relevant
in
the
context
of
the
use
of
certification
as
a
transfer
tool.
The
Guidelines
were
updated
to
reflect
comments
received
during
public
consultation.
Guidelines
on
Deceptive
Design
Patterns
in
Social
Media
Platform
Interfaces
Guidelines
03/2022
offer
practical
recommendations
to
designers
and
users
of
social
media
platforms
on
how
to
assess
and
avoid
deceptive
design
patterns
that
violate
the
GDPR.
Deceptive
design
patterns
are,
for
the
purposes
of
the
Guidelines,
interfaces
and
user
journeys
implemented
on
social
media
platforms
that
attempt
to
influence
users
into
making
unintended,
unwilling
and
potentially
harmful
decisions,
often
toward
a
decision
that
is
against
the
users’
best
interests
and
in
favor
of
the
social
media
platforms
interests,
regarding
the
processing
of
their
personal
data.
The
Guidelines
provide
examples
of
deceptive
design
pattern
types,
present
best
practices
for
different
use
cases
and
contain
specific
recommendations
for
designers
of
user
interfaces
that
aim
to
facilitate
the
effective
implementation
of
the
GDPR.
Following
public
consultation,
the
original
Guidelines
were
updated
to
reflect
feedback
received,
including
replacing
the
term
“dark
pattern”
with
“deceptive
design
patters”
in
the
title.