Definition. The European Data Protection Board (EDPB) is the EU body composed of the heads of all national data protection authorities and the European Data Protection Supervisor (EDPS). Established by Article 68 GDPR, it ensures consistent application of the GDPR across the EU/EEA through guidelines, opinions, and binding dispute resolution decisions under Article 65. The EDPB succeeds the Article 29 Working Party. Its 2025 budget was approximately €4.8 million.
The European Data Protection Board (EDPB) is the central interpretive authority for the GDPR. Every EU controller must understand what the EDPB does because its guidelines define how regulators apply the law, its opinions shape national DPA decisions, and its binding decisions under Article 65 settle cross-border disputes between authorities.
This guide explains the EDPB’s structure, its three main outputs, the most consequential decisions of 2024-2025, and how to use EDPB documents in compliance work. For the broader regulatory context, see our data privacy compliance guide.
Key takeaways
- The EDPB consists of the heads of all 27 EU + 3 EEA national data protection authorities + the EDPS.
- It produces three main outputs: guidelines (interpretive), opinions (advisory on national measures), and binding decisions under Article 65 (resolving DPA disputes).
- EDPB guidelines are not legally binding but are treated as authoritative by national DPAs and courts.
- Article 65 binding decisions are directly enforceable and have produced the largest GDPR fines (Meta €1.2B, May 2023).
- The EDPB does not investigate complaints directly — it coordinates national DPAs that do.
1. Structure and composition
The EDPB is composed of:
- The head of each national supervisory authority (one per Member State + EEA: Iceland, Liechtenstein, Norway)
- The European Data Protection Supervisor (EDPS) for matters concerning EU institutions
- The European Commission participates with no voting rights
The Board has approximately 30 members. Decisions require simple majority for guidelines and opinions, two-thirds for binding decisions under Article 65.
The EDPB operates from Brussels with a Secretariat of around 30-40 staff. Working groups (called “expert subgroups”) draft preliminary versions of guidelines covering specific topics: Cross-border Transfers, Cooperation, Enforcement, Technology, etc.
2. The three main outputs
Guidelines
Detailed interpretive documents on specific GDPR topics, typically 50-150 pages. Issued after public consultation. While not legally binding, they are treated as the authoritative interpretation by national DPAs and routinely cited in court.
Notable guidelines (selection):
- Guidelines 04/2019 on Article 25 (Data Protection by Design and by Default)
- Recommendations 01/2020 on supplementary measures for international transfers (post-Schrems II) — see our Transfer Impact Assessment guide
- Guidelines 07/2020 on the concepts of controller and processor — see Article 28 vs Article 26
- Guidelines 02/2023 on technical scope of Article 5(3) of the ePrivacy Directive (cookies and tracking)
- Guidelines 01/2024 on legitimate interest as a lawful basis
- Opinion 28/2024 on AI models and personal data
Opinions
Shorter, often issued in response to specific national measures (e.g., a DPA’s draft decision on a major transfer authorization). Opinions clarify the EDPB’s view but don’t bind the requesting authority.
Binding decisions under Article 65
The most consequential EDPB output. When national DPAs disagree on a cross-border case (typically the lead authority and concerned authorities), the EDPB resolves the dispute. Its decision is binding on all involved DPAs.
3. Major Article 65 decisions
The Article 65 mechanism has produced the largest GDPR enforcement actions:
| Date | Case | Outcome |
|---|---|---|
| Dec 2020 | Twitter (Ireland DPC vs other DPAs) | First Article 65 decision, €450K fine increased |
| Sep 2021 | WhatsApp Ireland | Fine raised from €50M to €225M |
| Sep 2022 | Fine raised, special protection for minors clarified | |
| Jan 2023 | Meta Ireland (Facebook & Instagram) | Lawful basis for behavioral ads challenged, total €390M |
| May 2023 | Meta Ireland (Facebook EU-US transfer) | €1.2 billion — largest GDPR fine to date |
| Jul 2024 | LinkedIn Ireland | Behavioral advertising consent requirements |
The pattern: the lead DPA (often Ireland) proposes a moderate decision, concerned DPAs object as too lenient, EDPB rules in favor of the stricter position. This has dramatically tightened enforcement on major platforms.
4. How EDPB outputs apply to your compliance program
For a typical EU controller, EDPB documents matter in three ways:
4.1 Defining “what compliance looks like”
National DPAs apply EDPB guidelines when assessing whether a processing activity meets GDPR requirements. A controller relying on legitimate interest, for example, must conduct a balancing test in the form described by EDPB Guidelines 01/2024. Deviating without justification creates regulatory risk.
4.2 Settling ambiguity in your favor
EDPB documents often clarify gray areas. For example, the boundary between data controller and data processor was contested for years — Guidelines 07/2020 settled it. Citing the EDPB position protects controllers from later DPA challenges.
4.3 Tracking enforcement direction
EDPB priorities signal the next 12-24 months of DPA enforcement. The 2024 focus on AI models, the 2023 focus on dark patterns, the 2022 focus on cookies — each preceded a wave of national DPA decisions on the same topics.
5. The Cooperation and Consistency Mechanism
The EDPB sits at the center of two procedural mechanisms designed to harmonize enforcement:
-
Cooperation (Article 60): when processing affects data subjects in multiple Member States, the lead DPA (where the controller has its main establishment) leads the case in cooperation with concerned DPAs. The EDPB intervenes only if cooperation fails.
-
Consistency (Articles 63-67): ensures consistent interpretation across the EU. National DPAs notify draft decisions of cross-border cases to the EDPB, which can issue opinions. Disputed cases trigger Article 65.
6. Where to find EDPB documents
- Official site: edpb.europa.eu
- All guidelines, opinions, decisions, and annual reports are public
- Annual report (typically published in Q2) summarizes the prior year’s activity
7. Difference from the EDPS
Two often-confused bodies:
| Body | Role |
|---|---|
| EDPB (European Data Protection Board) | Coordinates national DPAs, issues guidelines on GDPR application across all sectors and controllers |
| EDPS (European Data Protection Supervisor) | Independent supervisory authority for EU institutions and bodies (Commission, Parliament, Frontex, etc.) |
The EDPS sits on the EDPB but its enforcement role is limited to EU institutions.
8. Practical use: building a compliance position
When designing a new processing activity:
- Identify the most relevant EDPB guidelines (e.g., for AI training data: Opinion 28/2024)
- Read the guideline and identify the criteria the EDPB considers determinative
- Document how your processing meets each criterion
- Cite the guideline in your DPIA, ROPA, and privacy policy
This positions your organization to defend the processing if challenged by a DPA. Without this groundwork, defending compliance against a challenge is significantly harder.
For implementation tooling: Legiscope maps EDPB guidelines to ROPA entries, alerts on new guidelines relevant to your processing activities, and produces DPIAs aligned with EDPB methodology.
For related deep-dives: Standard Contractual Clauses guide, Transfer Impact Assessment, data privacy compliance guide, GDPR audit methodology.
Conclusion
The EDPB is invisible to most controllers until it’s not — and at that point, an Article 65 decision can multiply a fine by 5-25x. Tracking EDPB priorities is the single highest-leverage signal of where DPA enforcement is heading. Reading the relevant guideline before designing a new processing activity transforms compliance from reactive to defensible.
FAQ
What does the EDPB do?
The EDPB ensures consistent application of the GDPR across the EU. Its three main outputs are: guidelines (interpretive documents), opinions (on specific national measures), and binding decisions under Article 65 that resolve disputes between national DPAs.
Are EDPB guidelines legally binding?
Guidelines are not legally binding but are treated as authoritative by national DPAs and courts. Deviating from EDPB guidelines without justification creates significant regulatory risk. Article 65 decisions, by contrast, are directly enforceable against the involved DPAs.
What is the difference between the EDPB and the EDPS?
The EDPB coordinates the 30 national data protection authorities and issues guidelines for all controllers. The EDPS (European Data Protection Supervisor) is the independent authority that supervises EU institutions and bodies (Commission, Parliament, etc.).
How are Article 65 binding decisions made?
When the lead supervisory authority and concerned authorities disagree on a cross-border case, the EDPB resolves the dispute. A two-thirds majority is required. The decision is binding on all involved DPAs and has produced the largest GDPR fines (Meta €1.2B in May 2023).
How can I use EDPB documents in compliance work?
Identify guidelines relevant to your processing activity, document how your processing meets the criteria the EDPB considers determinative, and cite the guideline in your DPIA and privacy policy. This builds a defensible position if your processing is later challenged by a DPA.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
