GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 1. Subject matter and objectives
1 obligation
Chapter II — Principles
Article 10. Processing of personal data relating to criminal convictions and offences
2 obligations
GDPR-10-01
Requirement
Criminal data processing control requirement
Processing of personal data relating to criminal convictions and offences or related security measures must be carried o
GDPR-10-02
Requirement
Criminal convictions register control requirement
Any comprehensive register of criminal convictions must be kept only under the control of official authority.
Article 11. Processing which does not require identification
4 obligations
GDPR-11-01
Prohibition
No obligation to maintain/acquire identification data for GDPR compliance alone
When processing purposes do not require identification of data subjects, controllers are not obligated to maintain, acqu
GDPR-11-02
Transparency
Inform data subject when unable to identify them
When the controller can demonstrate inability to identify the data subject in non-identification processing contexts, th
GDPR-11-03
Documentation
Demonstrate inability to identify data subject
Controllers must be able to demonstrate that they are not in a position to identify the data subject when claiming exemp
GDPR-11-04
Requirement
Apply Articles 15-20 when data subject provides identifying information
When data subjects provide additional information enabling their identification for exercising rights under Articles 15-
Chapter III — Rights of the Data Subject
Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject
16 obligations
GDPR-12-01
Transparency
Provide information in transparent, accessible form with clear language
Controllers must take appropriate measures to provide any information referred to in Articles 13 and 14 and any communic
GDPR-12-02
Requirement
Provide information in writing or other means including electronic
Controllers must provide the required information in writing, or by other means, including where appropriate by electron
GDPR-12-03
Requirement
Provide information orally when requested if identity verified
When requested by the data subject, controllers may provide the information orally, provided that the identity of the da
GDPR-12-04
Requirement
Facilitate exercise of data subject rights
Controllers must facilitate the exercise of data subject rights under Articles 15 to 22.
GDPR-12-05
Prohibition
Cannot refuse to act unless unable to identify data subject
In cases referred to in Article 11(2), controllers shall not refuse to act on requests for exercising rights under Artic
GDPR-12-06
Requirement
Provide information on action taken within one month
Controllers must provide information on action taken on requests under Articles 15-22 to the data subject without undue
GDPR-12-07
Requirement
May extend response period by two months if justified
Controllers may extend the one-month response period by two further months where necessary, taking into account the comp
GDPR-12-08
Requirement
Inform data subject of extension within one month with reasons
Controllers must inform the data subject of any extension within one month of receipt of the request, together with the
GDPR-12-09
Requirement
Provide electronic response to electronic requests unless otherwise requested
Where the data subject makes the request by electronic means, controllers must provide the information by electronic mea
GDPR-12-10
Requirement
Inform data subject of reasons for not taking action within one month
If the controller does not take action on the request of the data subject, the controller must inform the data subject w
GDPR-12-11
Requirement
Provide information and communications free of charge
Information provided under Articles 13 and 14 and any communication and actions taken under Articles 15-22 and Article 3
GDPR-12-12
Requirement
May charge reasonable fee or refuse manifestly unfounded or excessive requests
Where requests from a data subject are manifestly unfounded or excessive, particularly because of their repetitive chara
GDPR-12-13
Requirement
Bear burden of demonstrating manifestly unfounded or excessive character
Controllers must bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
GDPR-12-14
Requirement
May request additional information to confirm identity if reasonable doubts
Where controllers have reasonable doubts concerning the identity of the natural person making requests referred to in Ar
GDPR-12-15
Requirement
May use standardised icons with information provided
Information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardi
GDPR-12-16
Requirement
Electronic icons must be machine-readable
Where icons are presented electronically they must be machine-readable.
Article 13. Information to be provided where personal data are collected from the data subject
2 obligations
GDPR-13-01
Transparency
Provide controller identity and contact details
The controller must provide the data subject with the identity and contact details of the controller and, where applicab
GDPR-13-02
Transparency
Provide data protection officer contact details
The controller must provide the contact details of the data protection officer to the data subject at the time when pers