GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Article 58. Powers
13 obligations
GDPR-58-02
Monitoring
Submit to Data Protection Audits
Controllers and processors must allow supervisory authorities to carry out investigations in the form of data protection
GDPR-58-03
Transparency
Provide Access to Personal Data and Information
Controllers and processors must provide supervisory authorities with access to all personal data and all information nec
GDPR-58-04
Transparency
Provide Access to Premises and Equipment
Controllers and processors must provide supervisory authorities access to their premises, including data processing equi
GDPR-58-05
Requirement
Comply with Data Subject Rights Orders
Controllers and processors must comply with supervisory authority orders to fulfill data subject requests to exercise th
GDPR-58-06
Requirement
Bring Processing Operations into Compliance
Controllers and processors must bring their processing operations into compliance with GDPR provisions when ordered by s
GDPR-58-07
Reporting
Communicate Personal Data Breach to Data Subject
Controllers must communicate personal data breaches to data subjects when ordered by supervisory authorities.
GDPR-58-08
Prohibition
Comply with Processing Limitations or Bans
Controllers and processors must comply with temporary or definitive limitations, including bans on processing, imposed b
GDPR-58-09
Requirement
Execute Data Rectification, Erasure, or Restriction Orders
Controllers and processors must comply with supervisory authority orders for rectification or erasure of personal data o
GDPR-58-10
Prohibition
Suspend Data Flows When Ordered
Controllers and processors must suspend data flows to recipients in third countries or international organizations when
GDPR-58-11
Requirement
Member States Must Grant Supervisory Authority Powers
Member States must ensure their supervisory authorities have all the investigative, corrective, and authorization/adviso
GDPR-58-12
Requirement
Establish Safeguards for Supervisory Authority Powers
Member States must establish appropriate safeguards, including effective judicial remedy and due process, for the exerci
GDPR-58-13
Requirement
Provide Legal Authority for Judicial Enforcement
Member States must provide by law that supervisory authorities have the power to bring GDPR infringements to judicial au
GDPR-58-14
Requirement
Ensure Additional Powers Don't Impair Chapter VII
Member States that provide additional powers to supervisory authorities beyond those in paragraphs 1, 2, and 3 must ensu
Article 59. Activity reports
3 obligations
GDPR-59-01
Reporting
Draw up annual activity report
Each supervisory authority must prepare an annual report documenting its activities, which may include a list of types o
GDPR-59-02
Reporting
Transmit reports to national authorities
Supervisory authorities must transmit their annual activity reports to the national parliament, the government and other
GDPR-59-03
Transparency
Make reports publicly available
Supervisory authorities must make their annual activity reports available to the public, to the Commission and to the Bo
Chapter VII — Cooperation and Consistency
Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned
9 obligations
GDPR-60-01
Requirement
Lead supervisory authority must cooperate with other concerned authorities
The lead supervisory authority must cooperate with other supervisory authorities concerned in an endeavour to reach cons
GDPR-60-02
Requirement
Exchange all relevant information between supervisory authorities
The lead supervisory authority and supervisory authorities concerned must exchange all relevant information with each ot
GDPR-60-03
Requirement
Lead authority may request mutual assistance from other authorities
The lead supervisory authority may at any time request other supervisory authorities concerned to provide mutual assista
GDPR-60-04
Requirement
Lead authority may conduct joint operations with other authorities
The lead supervisory authority may conduct joint operations with other supervisory authorities, particularly for carryin
GDPR-60-05
Requirement
Lead authority must communicate relevant information without delay
The lead supervisory authority must communicate relevant information on the matter to other supervisory authorities conc
GDPR-60-06
Requirement
Lead authority must submit draft decision for opinion without delay
The lead supervisory authority must submit a draft decision to other supervisory authorities concerned for their opinion
GDPR-60-07
Requirement
Lead authority must submit matter to consistency mechanism upon objection
Where other supervisory authorities express relevant and reasoned objections within four weeks, the lead supervisory aut
GDPR-60-08
Requirement
Lead authority must submit revised draft decision when following objection
When the lead supervisory authority intends to follow a relevant and reasoned objection, it must submit a revised draft
GDPR-60-09
Requirement
Revised draft decision subject to two-week objection procedure
The revised draft decision must be subject to the objection procedure within a period of two weeks.