GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Article 53. General conditions for the members of the supervisory authority
3 obligations
GDPR-53-02
Requirement
Ensure supervisory authority members have required qualifications
Each member of supervisory authorities must possess the necessary qualifications, experience and skills, particularly in
GDPR-53-03
Requirement
Establish legal framework for termination of member duties
Member States must establish legal provisions defining when a supervisory authority member's duties end, specifically co
GDPR-53-04
Requirement
Restrict dismissal of members to specific circumstances
Member States must ensure that supervisory authority members can only be dismissed in cases of serious misconduct or if
Article 54. Rules on the establishment of the supervisory authority
8 obligations
GDPR-54-01
Requirement
Establish supervisory authority by law
Each Member State must provide by law for the establishment of each supervisory authority responsible for data protectio
GDPR-54-02
Requirement
Define qualifications and eligibility conditions for supervisory authority members
Each Member State must establish by law the qualifications and eligibility conditions required to be appointed as member
GDPR-54-03
Requirement
Establish appointment rules and procedures for supervisory authority members
Each Member State must define by law the rules and procedures for the appointment of the member or members of each super
GDPR-54-04
Requirement
Set minimum term duration for supervisory authority members
Each Member State must establish by law the duration of the term of supervisory authority members of no less than four y
GDPR-54-05
Requirement
Define reappointment eligibility rules for supervisory authority members
Each Member State must establish by law whether and for how many terms the member or members of each supervisory authori
GDPR-54-06
Requirement
Establish conduct and employment rules for supervisory authority members and staff
Each Member State must define by law the conditions governing obligations of supervisory authority members and staff, in
GDPR-54-07
Prohibition
Maintain professional secrecy duty for supervisory authority members and staff
Supervisory authority members and staff must maintain professional secrecy during and after their term of office regardi
GDPR-54-08
Prohibition
Maintain secrecy regarding infringement reporting during term of office
Supervisory authority members and staff must maintain professional secrecy specifically regarding reporting by natural p
Article 55. Competence
3 obligations
GDPR-55-01
Requirement
Territorial Competence Limitation for Supervisory Authorities
Each supervisory authority must limit its competence to performing tasks and exercising powers only within the territory
GDPR-55-02
Requirement
Specific Competence for Public Authority Processing
The supervisory authority of the relevant Member State must exercise competence when processing is carried out by public
GDPR-55-03
Prohibition
Prohibition on Supervising Judicial Processing
Supervisory authorities must not supervise processing operations of courts when they are acting in their judicial capaci
Article 56. Competence of the lead supervisory authority
9 obligations
GDPR-56-01
Data Governance
Act as lead supervisory authority for cross-border processing
The supervisory authority of the main establishment or single establishment of the controller or processor must act as l
GDPR-56-02
Monitoring
Handle complaints and infringements in local jurisdiction
Each supervisory authority must handle complaints lodged with it or possible infringements if the subject matter relates
GDPR-56-03
Reporting
Inform lead supervisory authority without delay
When handling local cases, the supervisory authority must inform the lead supervisory authority without delay about the
GDPR-56-04
Requirement
Decide on case handling within three weeks
The lead supervisory authority must decide within three weeks after being informed whether or not it will handle the cas
GDPR-56-05
Requirement
Apply specified procedure when handling case
When the lead supervisory authority decides to handle the case, it must apply the procedure referenced in the regulation
GDPR-56-06
Requirement
Submit draft decision to lead supervisory authority
The supervisory authority which informed the lead supervisory authority may submit a draft for a decision to the lead su
GDPR-56-07
Requirement
Take utmost account of submitted draft
The lead supervisory authority must take utmost account of any draft decision submitted by the informing supervisory aut
GDPR-56-08
Requirement
Handle case when lead authority declines
When the lead supervisory authority decides not to handle the case, the supervisory authority which informed it must han
GDPR-56-09
Data Governance
Serve as sole interlocutor for cross-border processing
The lead supervisory authority must be the sole interlocutor of the controller or processor for the cross-border process
Article 57. Tasks
2 obligations
GDPR-57-01
Monitoring
Monitor and enforce GDPR application
Supervisory authorities must monitor and enforce the application of the GDPR within their territory
GDPR-57-02
Transparency
Promote public awareness of data protection
Supervisory authorities must promote public awareness and understanding of risks, rules, safeguards and rights in relati