GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 4. Definitions
3 obligations
GDPR-4-02
Requirement
Public Authority Data Protection Rules Compliance
Public authorities that receive personal data in the framework of a particular inquiry must process those data in compli
GDPR-4-03
Documentation
Written Designation of Representative
Controllers or processors must designate their representative in writing when appointing someone to represent them regar
GDPR-4-04
Requirement
Member State Supervisory Authority Establishment
Member States must establish an independent public supervisory authority in accordance with the referenced provisions of
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 40. Codes of conduct
6 obligations
GDPR-40-10
Registration
Supervisory authority shall register and publish approved single-state codes
Where the draft code is approved and does not relate to processing activities in several Member States, the supervisory
GDPR-40-11
Requirement
Supervisory authority shall submit multi-state draft codes to Board
Where a draft code relates to processing activities in several Member States, the competent supervisory authority must s
GDPR-40-12
Requirement
Board shall provide opinion on multi-state draft codes
The Board must provide an opinion on whether multi-state draft codes, amendments or extensions comply with GDPR or provi
GDPR-40-13
Requirement
Board shall submit positive opinions to Commission
Where the Board's opinion confirms that the draft code, amendment or extension complies with GDPR or provides appropriat
GDPR-40-14
Transparency
Commission shall ensure publicity for approved codes with general validity
The Commission must ensure appropriate publicity for approved codes that have been decided as having general validity wi
GDPR-40-15
Registration
Board shall collate and publish register of approved codes
The Board must collate all approved codes of conduct, amendments and extensions in a register and make them publicly ava
Article 41. Monitoring of approved codes of conduct
8 obligations
GDPR-41-01
Conformity
Monitoring body accreditation requirements - independence and expertise
Monitoring bodies seeking accreditation must demonstrate their independence and expertise in relation to the subject-mat
GDPR-41-02
Conformity
Monitoring body accreditation requirements - assessment procedures
Monitoring bodies seeking accreditation must establish procedures which allow them to assess the eligibility of controll
GDPR-41-03
Transparency
Monitoring body accreditation requirements - complaint handling procedures
Monitoring bodies seeking accreditation must establish procedures and structures to handle complaints about infringement
GDPR-41-04
Conformity
Monitoring body accreditation requirements - conflict of interest demonstration
Monitoring bodies seeking accreditation must demonstrate to the satisfaction of the competent supervisory authority that
GDPR-41-05
Requirement
Supervisory authority submission of accreditation requirements to Board
The competent supervisory authority must submit the draft requirements for accreditation of monitoring bodies to the Boa
GDPR-41-06
Monitoring
Monitoring body enforcement action in cases of infringement
Accredited monitoring bodies must take appropriate action in cases of infringement of the code by a controller or proces
GDPR-41-07
Reporting
Monitoring body reporting to supervisory authority on enforcement actions
Accredited monitoring bodies must inform the competent supervisory authority of enforcement actions taken and the reason
GDPR-41-08
Monitoring
Supervisory authority revocation of monitoring body accreditation
The competent supervisory authority must revoke the accreditation of a monitoring body if the requirements for accredita
Article 42. Certification
7 obligations
GDPR-42-01
Requirement
Member States shall encourage establishment of data protection certification mechanisms
Member States must encourage, particularly at Union level, the establishment of data protection certification mechanisms
GDPR-42-02
Requirement
Supervisory authorities shall encourage establishment of certification mechanisms
Supervisory authorities must encourage, particularly at Union level, the establishment of data protection certification
GDPR-42-03
Requirement
Board shall encourage establishment of certification mechanisms
The Board must encourage, particularly at Union level, the establishment of data protection certification mechanisms and
GDPR-42-04
Requirement
Commission shall encourage establishment of certification mechanisms
The Commission must encourage, particularly at Union level, the establishment of data protection certification mechanism
GDPR-42-05
Requirement
Controllers/processors not subject to GDPR must make binding commitments for certification
Controllers or processors not subject to GDPR seeking certification for third country transfers must make binding and en
GDPR-42-06
Transparency
Controllers/processors must provide information and access for certification
Controllers or processors submitting to certification must provide the certification body or competent supervisory autho
GDPR-42-07
Registration
Board shall maintain public register of certification mechanisms
The Board must collate all certification mechanisms and data protection seals and marks in a register and make them publ
Article 43. Certification bodies
1 obligation