EDPS publishes guidelines on the processing of personal data

Author info
Pieter Gryffroy

The European Data Protection Supervisor publishes guidelines on the processing of personal data through web services and by mobile applications.

As already discussed, on 19 October 2016, the Court of Justice decided that under certain circumstances dynamic IP-addresses are personal data in the sense of article 2 (a) of Directive 95/46/EC and are therefore protected by the provision of that directive and the national measures implementing it, awaiting the entry into force of the GDPR.

This decision, however, is only a small part of a much larger challenge, namely the adequate protection of personal data in the context of online (media) services and mobile applications. Private undertakings, public organisations and governments alike are faced with this sizeable challenge.


That the European Data Protection Supervisor (EDPS) is duly aware of this, is demonstrated by its release of two separate sets of guidelines, respectively on the protection of personal data in the context of online (media) services and in the context of mobile applications. The guidelines are addressed to the EU institutions, which ought to use them in their application of Data Protection Regulation No 45/2001 applicable to the EU institutions, i.e. in the context of their communication, interactions and transactions with EU citizens.

Best practices

Nonetheless, the guidelines can be useful for a range of different actors and organizations. In relation to those entities the guidelines can be seen as a list of best practices, promoting a safety- and privacy-driven approach. This can be illustrated by the guidelines’ recommendations on IP-addresses, which advise to treat logs or records containing IP-addresses as personal data, despite not yet taking into account the Court’s recent case-law on this, which was mentioned above. 

The guidelines deal with questions and problems that can be of utmost relevance in practice:

  • consent and information techniques in the context of both the provision of online services and the use of mobile applications,
  • the use of different types of cookies and the consent question related to this use,
  • the challenges concerning tracking and profiling and the processing of personal data by a third party,
  • the legality of data transfers, etc.

Equally, information security is dealt with extensively, i.a. focusing on secure development, operation and testing, managing vulnerability and the internal procedures for dealing with data breaches, should they nonetheless occur.

Guidelines are not a substitute for legal advice

While the guidelines can certainly be a source of inspiration for many actors processing personal data, it should not be forgotten that the guidelines are not extensive on the subject and are by no means a substitute for legal advice. In case of doubt, or when assessing a complex situation, it is advisable to contact a legal expert.

For more information, contact a time.lex lawyer.