What's new?

We will update this page to highlight and link to what’s new in our Guide to Data Protection.

April 2021

We have published guidance on the National Security Provisions in Part 3 of the DPA18 and updated the Guide to Intelligence Services Processing.

March 2021

We have published new guidance on the national security exemption in Part 2 of the DPA18.

January 2021

We have published an Updated BCR communication following the EU-UK Trade and Co-operation Agreement to the International transfers after the UK exit from the EU Implementation Period.

December 2020

We have published the new Data Sharing Code of Practice, alongside a data sharing information hub with further resources and support.

In addition, we published detailed guidance on sharing personal data with law enforcement authorities, and detailed guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes.

November 2020

We have published detailed guidance on criminal offence data.

September 2020

We have published the Accountability Framework, which provides detailed guidance on complying with the accountability principle.

February 2020

We have published detailed guidance on codes of conduct and certification.

January 2020

The Danish Data Protection Agency has adopted Standard Contractual Clauses (SCCs) which have been approved by the European Data Protection Board (EDPB). We have updated our detailed guidance on contracts and liabilities between controllers and processors to reflect this.

November 2019

We have published detailed guidance on special category data and updated the Guide page on special category data. We have also published a template appropriate policy document. This is required by many of the DPA 2018 schedule 1 conditions for processing.

In addition, we have published a template Part 3 appropriate policy document. We have updated the conditions for sensitive processing and principles pages in the Guide to Law Enforcement Processing to provide further guidance on the Part 3 appropriate policy document.

September 2019

We have published guidance on manifestly unfounded and excessive requests under the Guide to Law Enforcement Processing.

August 2019

We have updated our position on how to calculate the time limit for responding to requests (in relation to Individual rights) following a determination made in a Court of Justice of the European Union (CJEU) case which has been adopted by the European Data Protection Board (EDPB). We have also added guidance on the meaning of ‘manifestly unfounded or excessive’. The following pages have been updated:

June 2019

The European Data Protection Board (EDPB) published Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects for consultation. The consultation closed on 24 May.

We have updated the page in the lawful basis section on contract and the lawful basis tool to reflect the Guidelines.

March 2019

The European Data Protection Board (EDPB) has adopted:

The EDPB has also published the following Guidelines for consultation:

Guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 – Annex 2 – closing 29 March 2019.
Guidelines on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 – closing 2 April 2019.

Comments should be sent to [email protected].

We've also updated our guidance on the Right to be Informed.

December 2018

We have published our Guide to Data Protection, combining our existing guidance on the GDPR and law enforcement regimes with new guidance explaining some basic concepts, how the DPA 2018 works, and which regim e applies.

We have expanded our guidance on scope and key definitions in the guide to law enforcement processing.

We have expanded our guidance on contracts, published guidance on controllers and processors and published detailed guidance on controllers and processors and contracts and liabilities.

November 2018

We have published detailed guidance on encryption.

September 2018

We have expanded our guidance on Exemptions.

August 2018

We have expanded our guidance on International transfers.

May 2018

The European Data Protection Board (EDPB) has published draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 for consultation. The consultation will end on 12 July.

We have published detailed guidance on children and the GDPR.

We have published detailed guidance on determining what is personal data.

We have expanded our guidance on data protection by design and default, and published detailed guidance on automated decision-making and profiling.

We have published a new page on codes of conduct, and a new page on certification.

We have published detailed guidance on the right to be informed.

We have published detailed guidance on Data Protection Impact Assessments (DPIAs).

We have expanded the pages on the right of access and the right to object.

We have published detailed guidance on consent.

We have expanded the page on the right to data portability.

April 2018

We have expanded the page on Accountability and governance.

We have expanded the page on Security.

We have updated all of the lawful basis pages to include a link to the lawful basis interactive guidance tool.

March 2018

We have published detailed guidance on DPIAs for consultation. The consultation will end on 13 April 2018. We have also updated the guide page on DPIAs to include the guide level content from the detailed guidance.

We have published detailed guidance on legitimate interests.

We have expanded the pages on:

February 2018

The consultation period for the Article 29 Working party guidelines on consent has now ended and comments are being reviewed. The latest timetable is for the guidelines to be finalised for adoption on 10-11 April.

The consultation period for the Article 29 Working Party guidelines on transparency has now ended.

Following the consultation period, the Article 29 Working Party has adopted final guidelines on Automated individual decision-making and Profiling and personal data breach notification. These have been added to the Guide.

We have published our Guide to the data protection fee.

We have updated the page on Children to include the guide level content from the detailed guidance on Children and the GDPR which is out for public consultation.

January 2018

We have published more detailed guidance on documentation.

We have expanded the page on personal data breaches.

We have also added four new pages in the lawful basis section, covering contract, legal obligation, vital interests and public task.

December 2017

We have published detailed guidance on Children and the GDPR for public consultation. The consultation closes on 28 February 2018.

The sections on Lawful basis for processing and Rights related to automated individual decision making including profiling contain new expanded guidance. We have updated the section on Documentation with additional guidance and documentation templates. We have also added new sections on legitimate interests, special category data and criminal offence data, and updated the section on consent.

The Article 29 Working Party has published the following guidance, which is now included in the Guide.

It is inviting comments on these guidelines until 23 January 2018.

The consultation for the Article 29 Working Party guidelines on breach notification and automated decision-making and profiling ended on 28 November. We are reviewing the comments received together with other members of the Article 29 Working Party and expect the guidelines to be finalised in early 2018.

November 2017

The Article 29 Working Party has published guidelines on imposing administrative fines.

We have replaced the Overview of the GDPR with the Guide to the GDPR. The Guide currently contains similar content to the Overview, but we have expanded the sections on Consent and Contracts and Liabilities on the basis of the guidance on these topics which we have previously published for consultation.

The Guide to the GDPR is not yet a finished product; it is a framework on which we will build upcoming GDPR guidance and it reflects how future GDPR guidance will be presented. We will be publishing more detailed guidance on some topics and we will link to these from the Guide. We will do the same for guidelines from the Article 29 Working Party.

October 2017

The Article 29 Working Party has published the following guidance, which is now included in our overview.

The Article 29 Working Party has also adopted guidelines on administrative fines and these are expected to be published soon.

In the Rights related to automated decision making and profiling we have updated the next steps for the ICO.

In the Key areas to consider we have updated the next steps in regard to the ICO’s consent guidance.

The deadline for responses to our draft GDPR guidance on contracts and liabilities for controllers and processors has now passed. We are analysing the feedback and this will feed into the final version.

September 2017

We have put out for consultation our draft GDPR guidance on contracts and liabilities for controllers and processors.

July 2017

In the Key areas to consider we have updated the next steps in regard to the ICO’s consent guidance and the Article 29 Working Party’s Europe-wide consent guidelines.

June 2017

The Article 29 Working Party’s consultation on their guidelines on high risk processing and data protection impact assessments closed on 23 May. We await the adoption of the final version.

January 2017

Article 29 have published the following guidance, which is now included in our overview:

Data portability
Lead supervisory authorities
Data protection officers