GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Article 57. Tasks
24 obligations
GDPR-57-03
Transparency
Advise national institutions on data protection measures
Supervisory authorities must advise, in accordance with Member State law, the national parliament, government, and other
GDPR-57-04
Transparency
Promote controller and processor awareness of obligations
Supervisory authorities must promote the awareness of controllers and processors regarding their obligations under the G
GDPR-57-05
Transparency
Provide information to data subjects on request
Supervisory authorities must provide information to any data subject concerning the exercise of their rights under the G
GDPR-57-06
Monitoring
Handle and investigate complaints
Supervisory authorities must handle complaints lodged by data subjects or authorized bodies/organizations, investigate t
GDPR-57-07
Data Governance
Cooperate with other supervisory authorities
Supervisory authorities must cooperate with other supervisory authorities, including sharing information and providing m
GDPR-57-08
Monitoring
Conduct GDPR application investigations
Supervisory authorities must conduct investigations on the application of the GDPR, including based on information recei
GDPR-57-09
Monitoring
Monitor relevant technological and commercial developments
Supervisory authorities must monitor relevant developments that impact personal data protection, particularly developmen
GDPR-57-10
Data Governance
Adopt standard contractual clauses
Supervisory authorities must adopt standard contractual clauses as referred to in specific GDPR provisions
GDPR-57-11
Documentation
Establish and maintain DPIA requirement list
Supervisory authorities must establish and maintain a list in relation to the requirement for data protection impact ass
GDPR-57-12
Transparency
Give advice on processing operations
Supervisory authorities must give advice on processing operations as referred to in Article 36(2)
GDPR-57-13
Conformity
Encourage and approve codes of conduct
Supervisory authorities must encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide opinions
GDPR-57-14
Conformity
Encourage and approve certification mechanisms
Supervisory authorities must encourage establishment of data protection certification mechanisms and seals/marks pursuan
GDPR-57-15
Monitoring
Conduct periodic review of certifications
Supervisory authorities must carry out periodic review of certifications issued in accordance with Article 42(7) where a
GDPR-57-16
Transparency
Draft and publish accreditation requirements
Supervisory authorities must draft and publish requirements for accreditation of bodies for monitoring codes of conduct
GDPR-57-17
Conformity
Conduct accreditation of monitoring and certification bodies
Supervisory authorities must conduct accreditation of bodies for monitoring codes of conduct and certification bodies
GDPR-57-18
Conformity
Authorize contractual clauses and provisions
Supervisory authorities must authorize contractual clauses and provisions referred to in Article 46(3)
GDPR-57-19
Conformity
Approve binding corporate rules
Supervisory authorities must approve binding corporate rules pursuant to relevant GDPR provisions
GDPR-57-20
Data Governance
Contribute to Board activities
Supervisory authorities must contribute to the activities of the European Data Protection Board
GDPR-57-21
Documentation
Keep internal records of infringements and measures
Supervisory authorities must keep internal records of infringements of the GDPR and of measures taken in accordance with
GDPR-57-22
Data Governance
Fulfill other personal data protection tasks
Supervisory authorities must fulfill any other tasks related to the protection of personal data
GDPR-57-23
Transparency
Facilitate complaint submission
Supervisory authorities must facilitate the submission of complaints by measures such as providing complaint submission
GDPR-57-24
Transparency
Provide free services to data subjects and DPOs
Supervisory authorities must ensure that the performance of their tasks is free of charge for data subjects and, where a
GDPR-57-25
Data Governance
Apply reasonable fees for manifestly unfounded/excessive requests
Supervisory authorities may charge a reasonable fee based on administrative costs or refuse to act on requests that are
GDPR-57-26
Transparency
Demonstrate manifestly unfounded/excessive character of requests
Supervisory authorities must bear the burden of demonstrating the manifestly unfounded or excessive character of request
Article 58. Powers
1 obligation