GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 4. Definitions
1 obligation
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 37. Designation of the data protection officer
1 obligation
Article 38. Position of the data protection officer
8 obligations
GDPR-38-01
Data Governance
Involve DPO in data protection matters
Controllers and processors must ensure the data protection officer is involved properly and in a timely manner in all is
GDPR-38-02
Requirement
Provide necessary resources to DPO
Controllers and processors must support the data protection officer by providing resources necessary to carry out their
GDPR-38-03
Requirement
Maintain DPO expert knowledge
Controllers and processors must support the data protection officer in maintaining his or her expert knowledge.
GDPR-38-04
Requirement
Ensure DPO independence from instructions
Controllers and processors must ensure that the data protection officer does not receive any instructions regarding the
GDPR-38-05
Prohibition
Prohibit dismissal or penalization of DPO
Controllers and processors shall not dismiss or penalise the data protection officer for performing their tasks.
GDPR-38-06
Requirement
Ensure DPO reports to highest management level
Controllers and processors must ensure that the data protection officer directly reports to the highest management level
GDPR-38-07
Requirement
Ensure DPO maintains secrecy or confidentiality
The data protection officer must be bound by secrecy or confidentiality concerning the performance of their tasks, in ac
GDPR-38-08
Requirement
Prevent DPO conflict of interests
Controllers or processors must ensure that any other tasks and duties assigned to the data protection officer do not res
Article 39. Tasks of the data protection officer
6 obligations
GDPR-39-01
Data Governance
DPO must inform and advise on data protection obligations
The data protection officer must inform and advise the controller or processor and employees who carry out processing of
GDPR-39-02
Monitoring
DPO must monitor compliance with GDPR and data protection provisions
The data protection officer must monitor compliance with GDPR, other data protection provisions, and the organization's
GDPR-39-03
Data Governance
DPO must provide advice on data protection impact assessments
The data protection officer must provide advice when requested regarding data protection impact assessments and monitor
GDPR-39-04
Data Governance
DPO must cooperate with supervisory authority
The data protection officer must cooperate with the supervisory authority in the performance of their duties.
GDPR-39-05
Data Governance
DPO must act as contact point for supervisory authority
The data protection officer must act as the contact point for the supervisory authority on processing issues, including
GDPR-39-06
Risk Management
DPO must consider processing risks in task performance
The data protection officer must have due regard to the risk associated with processing operations when performing their
Article 40. Codes of conduct
9 obligations
GDPR-40-01
Requirement
Member States shall encourage development of codes of conduct
Member States must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDPR
GDPR-40-02
Requirement
Supervisory authorities shall encourage development of codes of conduct
Supervisory authorities must encourage the drawing up of codes of conduct intended to contribute to the proper applicati
GDPR-40-03
Requirement
The Board shall encourage development of codes of conduct
The Board must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDPR, ta
GDPR-40-04
Requirement
Commission shall encourage development of codes of conduct
The Commission must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDP
GDPR-40-05
Requirement
Controllers not subject to GDPR must make binding commitments for code adherence
Controllers not subject to GDPR that adhere to approved codes of conduct for data transfers must make binding and enforc
GDPR-40-06
Requirement
Processors not subject to GDPR must make binding commitments for code adherence
Processors not subject to GDPR that adhere to approved codes of conduct for data transfers must make binding and enforce
GDPR-40-07
Requirement
Codes of conduct must contain compliance monitoring mechanisms
A code of conduct must contain mechanisms which enable the monitoring body to carry out mandatory monitoring of complian
GDPR-40-08
Registration
Code drafters must submit draft codes to competent supervisory authority
Associations and other bodies that intend to prepare a code of conduct or amend/extend an existing code must submit the
GDPR-40-09
Requirement
Supervisory authority shall provide opinion on draft codes
The supervisory authority must provide an opinion on whether the draft code, amendment or extension complies with GDPR a