|

EDPB Guidelines: An Essential Exam Method

ByBas Hennis Updated on

The GDPR is the law. EDPB guidelines are interpretation. CJEU rulings bind. Three different sources, three different weights, three different ways the exam tests them. Candidates who treat all three as interchangeable lose marks they did not need to lose.

This is exam-readiness territory rather than topic content, and it improves accuracy across CIPP/E, AIGP and the other IAPP certifications. The trick is reading what the question is actually asking before deciding where the answer comes from.

GDPR text, EDPB guidelines, CJEU rulings: three different sources

A typical IAPP exam question contains a short factual scenario and four answer options. The question stem signals which legal source you are being asked to apply. If the stem says “the GDPR requires”, the answer turns on the Regulation’s text itself. If the stem says “according to EDPB guidance” or “the European Data Protection Board has indicated”, the answer turns on official interpretation. If the stem says “the Court of Justice ruled” or names a case, the answer turns on binding case law.

Each source carries different weight. The Regulation is law. Recitals are interpretive aids that help read the law but do not create independent obligations. CJEU rulings bind every court and authority in the Union, and they can override an EDPB position. EDPB guidelines are authoritative interpretation, not law; they bind regulators in their consistency obligations under Article 70 GDPR but they do not bind the Court.

The legal hierarchy that drives EDPB guidelines questions

Memorise this order:

  • Treaty rights, including Articles 7 and 8 of the Charter of Fundamental Rights (privacy and data protection).
  • The GDPR Articles, in their consolidated text.
  • Recitals, used for interpretation.
  • CJEU case law, binding on national courts and DPAs.
  • EDPB guidelines and opinions, authoritative interpretation.
  • National DPA decisions, persuasive within their jurisdiction and instructive for the exam.

This hierarchy explains why a CJEU ruling can supersede an EDPB position, why EDPB guidelines can refine but not contradict an Article, and why a national DPA fine is a useful illustration on the exam but not the controlling authority on the legal point.

Spotting which source the question is testing

Watch the verbs in the question stem. “The GDPR provides”, “Article 13 requires”, “Chapter V permits”: text-of-the-law questions. The answer is in the Regulation. Do not bring in EDPB guidelines unless the GDPR text is genuinely ambiguous on the point.

“EDPB guidance suggests”, “the EDPB has indicated”, “the Board’s opinion concludes”: guidance questions. The answer comes from the 10 to 14 examinable EDPB documents the IAPP has flagged. Memorise the headlines of each one.

“The Court ruled”, “the CJEU held”, or a named case: case-law questions. The answer is the ratio decidendi of the named ruling. Schrems I and II, Google Spain, Wirtschaftsakademie, Fashion ID, Planet49 and SCHUFA Holding (Scoring) are the six the exam returns to most often.

Three worked examples using EDPB guidelines well

Lawful basis: Article 6 plus EDPB guidelines

A scenario asks whether a controller can rely on legitimate interest for a behavioural-advertising use. Article 6(1)(f) is the legal hook. EDPB Guidelines 1/2024 supply the three-part test: legitimate, necessary, balanced against the data subject’s interests. The answer needs both the Article and the test as the EDPB has interpreted it. Citing only the Article risks a wrong answer on a question that explicitly invites the guidance.

Transfers: Article 46 plus EDPB guidelines

A scenario asks whether SCCs are sufficient for a transfer to a US processor whose parent is subject to FISA Section 702. Article 46(2)(c) is the SCC hook. EDPB Recommendations 01/2020 on supplementary measures supply the operative test. The answer requires both: SCCs are valid in principle, the transfer impact assessment must establish essential equivalence, and supplementary measures are required where the assessment shows a gap.

Automated decisions: Article 22, EDPB guidelines and SCHUFA

A scenario describes a credit-scoring agency providing a probability score that the lender then applies to a loan decision. Article 22(1) is the prohibition. EDPB guidelines on automated decision-making (the WP29 inheritance, plus subsequent EDPB material) provide the framework. The CJEU’s SCHUFA ruling settles the scope question: an upstream automated score that is heavily relied on for a downstream decision is itself an Article 22 decision. All three sources point to the same answer; missing the SCHUFA reference is the marker the exam is testing.

A short CJEU shortlist worth memorising

Case law from the Court of Justice appears regularly enough to repay rote learning of the headline rulings. Schrems I and II for transfer mechanisms; Google Spain for the right to be forgotten; Wirtschaftsakademie and Fashion ID for joint-controller scope; Planet49 for cookies and consent; SCHUFA for Article 22; Lindqvist for territorial scope. Six headings, six one-line takeaways. Twenty minutes of revision, and a noticeable lift in scenario accuracy.

When in doubt, default to the Article

The pragmatic rule: if you cannot tell what the question is asking, default to the GDPR Article. EDPB guidelines and CJEU case law are correct answers only when the question explicitly invites them. For article-pure questions, forcing in guidance is the most common way candidates throw away marks they actually knew.

A short next step on 22academy.com/study or the PSG CIPP/E study guide will walk you through which EDPB guidelines the IAPP has flagged for the current Body of Knowledge.

Similar Posts

Study strategy illustration for exam questions on evolving legislation - CIPP/E and AIGP
| | | | |

When the Law Is Still Moving: Exam Strategy for Evolving Legislation

ByBas Hennis

Candidates who study the substance of a law but skip the status check will confidently answer questions about obligations that do not yet exist. One reasoning pause changes everything. Here is how to build it into your exam technique for CIPP/E and AIGP.