background blue with waves

Handy Documents and Materials

In this section you can find links to some documents that may help you better understand the data-protection regulation and configure your processing accordingly.

EEA and UK

  1. GDPR. General Data Protection Regulation is a regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law outlining approaches to processing of personal data;
  2. E-Privacy Directive. E-privacy Directive 2009/136/EC concerns the processing of personal data and the protection of privacy in the electronic communications sector. The E-privacy Directive covers processing of personal data and the protection of privacy including provisions on the security of networks and services; the confidentiality of communications; access to stored data; processing of traffic and location data; calling line identification; public subscriber directories; and unsolicited commercial communications ("spam").
  3. EDPB Guidelines on Data Breach Notification. Guidelines 9/2022 on personal data breach notification under GDPR;
  4. EDPB Guidelines on Dark Patterns in Social Media. Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them;
  5. EDPB Guidelines on Right of Access. Guidelines 01/2022 on data subject rights - Right of access;
  6. EDPB Guidelines on Controller and Processor. Guidelines 07/2020 on the concepts of controller and processor in the GDPR;
  7. EDPB Guidelines on Social Media Targeting. Guidelines 8/2020 on the targeting of social media users;
  8. EDPB Guidelines on Consent.Guidelines 05/2020 on consent under Regulation 2016/679;
  9. WP243 Guidelines on DPO. Guidelines on Data Protection Officers ('DPOs') (wp243rev.01);
  10. WP 217 Guidelines on legitimate interests. Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC;
  11. UK GDPR and DPA 2018. The Data Protection Act 2018 is the UK’s implementation of the GDPR (UK GDPR). Meanwhile, the UK GDPR is supplemented by the DPA in some places. The DPA 2018 applies the GDPR’s provisions to certain types of processing that are outside the GDPR’s scope, including processing by public authorities. It sets out data processing regimes for law enforcement processing and intelligence processes. The UK GDPR and DPA 2018 should, therefore, be read together.
  12. PECR. The Privacy and Electronic Communications Regulations sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications. PECR implement E-Privacy Directive into the UK law and cover specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemized billing, line identification, and directory listings;
  13. UK ICO (Information Commissioner Officer) Guidance on Data Protection: rights for data subjects.


  1. CAN-SPAM Act of 2003 and Rule. The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. Despite its name, the CAN-SPAM Act doesn't apply just to bulk email. It is supplemented with the CAN-SPAM Rule.
  2. The FTC’s CAN-SPAM Act compliance guide for business;
  3. The Federal Government’s Do Not Call registry;
  4. CCPA. California Consumer Privacy Act gives Californian consumers more control over the personal information that businesses collect about them and the CCPA Regulation provides guidance on how to implement the law. There is an Additional Amendment to Regulation in place;
  5. CPRA. The California Privacy Rights Act is an expansion of the California Consumer Privacy Act (CCPA). CPRA seeks to protect more types of privacy information, provide additional rights for consumers, establish an oversight entity, and detail rights specific to minors.
  6. VCDPA. The Virginia Consumer Data Protection Act gives Virginian consumers more control over the personal information that businesses collect about them;
  7. CPA. The Colorado Privacy Act gives Coloradans more control over the personal information that businesses collect about them;
  8. CTDPA. The Connecticut Data Privacy Act gives Connecticuters more control over the personal information that businesses collect about them;
  9. UCPA. The Utah Consumer Privacy Act gives Utahans more control over the personal information that businesses collect about them.
This article is for informational purposes only and is not a substitute for legal advice. We do not offer legal advice. Please always seek guidance from your own legal counsel.