GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 5. Principles relating to processing of personal data
3 obligations
GDPR-5-01
Requirement
Process personal data lawfully, fairly and transparently
Data controllers must ensure all processing of personal data is conducted in accordance with legal grounds, in a fair ma
GDPR-5-02
Requirement
Collect data for specified, explicit and legitimate purposes only
Personal data must be collected only for purposes that are clearly specified, explicitly stated, and legitimate. Control
GDPR-5-03
Prohibition
Prohibit incompatible further processing
Controllers are prohibited from further processing personal data in a manner incompatible with the original collection p
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Article 46. Transfers subject to appropriate safeguards
7 obligations
GDPR-46-02
Requirement
Ensure enforceable data subject rights for third country transfers
Controllers or processors must ensure that enforceable data subject rights are available when transferring personal data
GDPR-46-03
Requirement
Ensure effective legal remedies for data subjects in third country transfers
Controllers or processors must ensure that effective legal remedies for data subjects are available when transferring pe
GDPR-46-04
Requirement
Apply binding and enforceable commitments for approved codes of conduct
Controllers or processors in third countries must apply binding and enforceable commitments when using approved codes of
GDPR-46-05
Requirement
Apply binding and enforceable commitments for approved certification mechanisms
Controllers or processors in third countries must apply binding and enforceable commitments when using approved certific
GDPR-46-06
Requirement
Obtain supervisory authority authorisation for contractual clauses
Controllers or processors must obtain authorisation from the competent supervisory authority when using contractual clau
GDPR-46-07
Requirement
Include enforceable data subject rights in administrative arrangements
Public authorities or bodies must include enforceable and effective data subject rights in administrative arrangements u
GDPR-46-08
Requirement
Apply consistency mechanism for paragraph 3 authorisations
Supervisory authorities must apply the consistency mechanism when providing authorisations for contractual clauses and a
Article 48. Transfers or disclosures not authorised by Union law
1 obligation
Article 49. Derogations for specific situations
10 obligations
GDPR-49-01
Requirement
Use specific derogations for data transfers without adequacy decision or safeguards
When transferring personal data to a third country or international organisation without an adequacy decision or appropr
GDPR-49-02
Transparency
Obtain explicit consent for transfers with informed risk disclosure
Controllers must obtain the data subject's explicit consent for the proposed transfer after informing them of the possib
GDPR-49-03
Prohibition
Limit public register transfers to relevant portions only
When transferring data from public registers, controllers must not transfer the entirety of personal data or entire cate
GDPR-49-04
Requirement
Verify legitimate interest for consultation-based register transfers
When transferring data from registers intended for consultation by persons with legitimate interest, controllers must en
GDPR-49-05
Requirement
Meet additional conditions for non-repetitive limited transfers
For transfers that cannot be based on standard provisions and no specific derogations apply, controllers may only transf
GDPR-49-06
Risk Management
Assess all circumstances surrounding exceptional data transfers
Controllers must assess all the circumstances surrounding the data transfer when relying on compelling legitimate intere
GDPR-49-07
Reporting
Inform supervisory authority of exceptional transfers
Controllers must inform the supervisory authority when making transfers based on compelling legitimate interests under t
GDPR-49-08
Transparency
Inform data subject of exceptional transfer and legitimate interests
Controllers must inform the data subject of the transfer and the compelling legitimate interests pursued, in addition to
GDPR-49-09
Documentation
Document transfer assessment and safeguards in records
Controllers or processors must document the assessment as well as the suitable safeguards for exceptional transfers in t
GDPR-49-10
Reporting
Notify Commission of transfer limitations for public interest reasons
Member States must notify the Commission of any provisions that set limits to the transfer of specific categories of per
Article 50. International cooperation for the protection of personal data
4 obligations
GDPR-50-01
Requirement
Develop international cooperation mechanisms for data protection enforcement
The Commission and supervisory authorities must develop international cooperation mechanisms to facilitate the effective
GDPR-50-02
Requirement
Provide international mutual assistance in data protection enforcement
The Commission and supervisory authorities must provide international mutual assistance in the enforcement of legislatio
GDPR-50-03
Requirement
Engage stakeholders in international cooperation discussions
The Commission and supervisory authorities must engage relevant stakeholders in discussion and activities aimed at furth
GDPR-50-04
Requirement
Promote exchange and documentation of data protection legislation and practice
The Commission and supervisory authorities must promote the exchange and documentation of personal data protection legis