GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 5. Principles relating to processing of personal data
9 obligations
GDPR-5-04
Data Governance
Ensure data adequacy, relevance and necessity
Controllers must ensure personal data processed is adequate for the intended purpose, relevant to that purpose, and limi
GDPR-5-05
Requirement
Maintain data accuracy and currency
Controllers must ensure personal data is accurate and, where necessary, kept up to date relative to the processing purpo
GDPR-5-06
Requirement
Take reasonable steps to erase or rectify inaccurate data
Controllers must take every reasonable step to ensure inaccurate personal data is erased or rectified without delay, con
GDPR-5-07
Requirement
Limit data storage duration to necessary period
Controllers must keep personal data in a form permitting identification of data subjects for no longer than necessary fo
GDPR-5-08
Requirement
Implement safeguards for extended storage periods
When storing personal data for longer periods for archiving, scientific research, historical research, or statistical pu
GDPR-5-09
Requirement
Ensure appropriate security of personal data
Controllers must process personal data in a manner ensuring appropriate security, including protection against unauthori
GDPR-5-10
Requirement
Use appropriate technical or organizational security measures
Controllers must implement appropriate technical or organizational measures to ensure the security and integrity of pers
GDPR-5-11
Requirement
Take responsibility for compliance with data protection principles
Controllers must be responsible for compliance with all data protection principles outlined in paragraph 1 of this artic
GDPR-5-12
Documentation
Demonstrate compliance with data protection principles
Controllers must be able to demonstrate their compliance with all data protection principles, requiring documentation an
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Article 51. Supervisory authority
6 obligations
GDPR-51-01
Requirement
Establish independent supervisory authority
Each Member State must provide for one or more independent public authorities to be responsible for monitoring the appli
GDPR-51-02
Requirement
Contribute to consistent application of GDPR
Each supervisory authority must contribute to the consistent application of GDPR throughout the Union.
GDPR-51-03
Requirement
Cooperate with other authorities and Commission
Supervisory authorities must cooperate with each other and the Commission in accordance with Chapter VII to ensure consi
GDPR-51-04
Requirement
Designate Board representative authority
Where more than one supervisory authority is established in a Member State, that Member State must designate which super
GDPR-51-05
Requirement
Establish consistency mechanism compliance framework
Member States with multiple supervisory authorities must set out the mechanism to ensure compliance by the other authori
GDPR-51-06
Reporting
Notify Commission of implementing legislation
Each Member State must notify to the Commission the provisions of its law which it adopts pursuant to this Chapter by 25
Article 52. Independence
9 obligations
GDPR-52-01
Requirement
Supervisory Authority Independence Requirement
Each supervisory authority must act with complete independence when performing its tasks and exercising its powers in ac
GDPR-52-02
Requirement
Freedom from External Influence Requirement
Members of supervisory authorities must remain free from external influence, whether direct or indirect, when performing
GDPR-52-03
Prohibition
Prohibition on Seeking or Taking Instructions
Members of supervisory authorities are prohibited from seeking or taking instructions from anybody when performing their
GDPR-52-04
Prohibition
Prohibition on Incompatible Actions
Members of supervisory authorities must refrain from any action that is incompatible with their duties as supervisory au
GDPR-52-05
Prohibition
Prohibition on Incompatible Occupations During Term
Members of supervisory authorities are prohibited from engaging in any incompatible occupation, whether gainful or not,
GDPR-52-06
Requirement
Resource Provision Requirement for Member States
Each Member State must ensure that each supervisory authority is provided with the human, technical and financial resour
GDPR-52-07
Requirement
Staff Selection and Direction Requirement for Member States
Each Member State must ensure that each supervisory authority chooses and has its own staff which shall be subject to th
GDPR-52-08
Requirement
Independent Financial Control Requirement for Member States
Each Member State must ensure that each supervisory authority is subject to financial control which does not affect its
GDPR-52-09
Requirement
Separate Public Annual Budget Requirement for Member States
Each Member State must ensure that each supervisory authority has separate, public annual budgets, which may be part of
Article 53. General conditions for the members of the supervisory authority
1 obligation