GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 6. Lawfulness of processing
10 obligations
GDPR-6-01
Requirement
Ensure lawful basis for processing
Processing of personal data must be lawful only if and to the extent that at least one of the lawful bases specified in
GDPR-6-02
Prohibition
Prohibition on legitimate interests basis for public authorities
Public authorities performing their tasks are prohibited from using the legitimate interests lawful basis (point f) for
GDPR-6-03
Requirement
Establish legal basis in Union or Member State law for legal obligation/public task
For processing based on legal obligation (point c) or public task (point e), the basis must be laid down by Union law or
GDPR-6-04
Requirement
Determine processing purpose in legal basis
The purpose of processing based on legal obligation or public task must be determined in the legal basis, or must be nec
GDPR-6-05
Requirement
Ensure legal basis meets public interest objective and proportionality
Union or Member State law establishing the legal basis for processing must meet an objective of public interest and be p
GDPR-6-06
Requirement
Conduct compatibility assessment for further processing
When processing personal data for a purpose other than the original collection purpose (not based on consent or Union/Me
GDPR-6-07
Requirement
Consider purpose linkage in compatibility assessment
Controllers must consider any link between the original data collection purposes and the purposes of the intended furthe
GDPR-6-08
Requirement
Consider collection context in compatibility assessment
Controllers must consider the context in which personal data were collected, particularly the relationship between data
GDPR-6-09
Requirement
Consider data nature in compatibility assessment
Controllers must consider the nature of personal data, particularly whether special categories of personal data or crimi
GDPR-6-10
Requirement
Consider processing consequences in compatibility assessment
Controllers must consider the possible consequences of the intended further processing for data subjects when assessing
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned
12 obligations
GDPR-60-10
Requirement
Supervisory authorities bound by draft decision without objections
Where no other supervisory authorities object to the draft decision within the specified periods, all supervisory author
GDPR-60-11
Requirement
Lead authority must adopt and notify decision to controller/processor
The lead supervisory authority must adopt and notify the decision to the main establishment or single establishment of t
GDPR-60-12
Requirement
Lead authority must inform other authorities and Board of decision
The lead supervisory authority must inform other supervisory authorities concerned and the Board of the decision, includ
GDPR-60-13
Requirement
Complaint authority must inform complainant of decision
The supervisory authority with which a complaint has been lodged must inform the complainant of the decision.
GDPR-60-14
Requirement
Complaint authority must adopt decision for dismissed/rejected complaints
Where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged must adopt the
GDPR-60-15
Requirement
Separate decisions required for partial complaint handling
Where supervisory authorities agree to dismiss/reject parts of a complaint and act on other parts, separate decisions mu
GDPR-60-16
Requirement
Lead authority handles controller action decisions in partial complaints
In partial complaint cases, the lead supervisory authority must adopt decisions for parts concerning actions relating to
GDPR-60-17
Requirement
Complaint authority handles dismissal decisions in partial complaints
In partial complaint cases, the supervisory authority of the complainant must adopt decisions for dismissal/rejection pa
GDPR-60-18
Requirement
Controller/processor must ensure compliance across all EU establishments
After being notified of the lead supervisory authority's decision, the controller or processor must take necessary measu
GDPR-60-19
Reporting
Controller/processor must notify compliance measures to lead authority
The controller or processor must notify the measures taken for complying with the decision to the lead supervisory autho
GDPR-60-20
Requirement
Lead authority must inform other authorities of compliance measures
The lead supervisory authority must inform other supervisory authorities concerned about the compliance measures notifie
GDPR-60-21
Requirement
Supervisory authorities must supply information electronically in standardised format
The lead supervisory authority and other supervisory authorities concerned must supply required information to each othe
Article 61. Mutual assistance
3 obligations
GDPR-61-01
Requirement
Provide mutual assistance and relevant information to other supervisory authorities
Supervisory authorities must provide each other with relevant information and mutual assistance to implement and apply t
GDPR-61-02
Requirement
Respond to assistance requests without undue delay within one month
Each supervisory authority must take all appropriate measures to reply to requests from other supervisory authorities wi
GDPR-61-03
Requirement
Include necessary information in assistance requests
Requests for assistance must contain all the necessary information, including the purpose of and reasons for the request