GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 6. Lawfulness of processing
1 obligation
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Article 61. Mutual assistance
6 obligations
GDPR-61-04
Requirement
Use exchanged information only for requested purpose
Information exchanged between supervisory authorities shall be used only for the purpose for which it was requested.
GDPR-61-05
Requirement
Comply with assistance requests unless specific exceptions apply
The requested supervisory authority shall not refuse to comply with assistance requests unless it is not competent for t
GDPR-61-06
Reporting
Inform requesting authority of results and progress
The requested supervisory authority must inform the requesting supervisory authority of the results or progress of measu
GDPR-61-07
Transparency
Provide reasons for any refusal to comply with assistance request
The requested supervisory authority must provide reasons for any refusal to comply with a request pursuant to the compet
GDPR-61-08
Requirement
Supply information by electronic means using standardised format
Requested supervisory authorities shall, as a rule, supply the information requested by other supervisory authorities by
GDPR-61-09
Prohibition
Not charge fees for mutual assistance actions
Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a request for mutual a
Article 62. Joint operations of supervisory authorities
10 obligations
GDPR-62-01
Requirement
Conduct joint operations when appropriate
Supervisory authorities must conduct joint operations including joint investigations and joint enforcement measures invo
GDPR-62-02
Requirement
Invite other supervisory authorities to participate in joint operations
The competent supervisory authority must invite supervisory authorities from other affected Member States to participate
GDPR-62-03
Requirement
Respond without delay to participation requests
Supervisory authorities must respond without delay to requests from other supervisory authorities to participate in join
GDPR-62-04
Requirement
Exercise investigative powers only under guidance and presence of host authority
When seconded supervisory authority staff exercise investigative powers in another Member State, they may only do so und
GDPR-62-05
Requirement
Comply with host Member State law
Seconding supervisory authority's members or staff participating in joint operations must be subject to and comply with
GDPR-62-06
Requirement
Assume responsibility for seconded staff actions
The Member State of the host supervisory authority must assume responsibility for actions of seconded staff from other M
GDPR-62-07
Requirement
Make good damage caused by own staff standards
The Member State in whose territory damage was caused must compensate for such damage under the same conditions that wou
GDPR-62-08
Requirement
Reimburse host Member State for damage caused by seconded staff
The Member State of the seconding supervisory authority must reimburse in full any sums paid by the host Member State to
GDPR-62-09
Prohibition
Refrain from requesting reimbursement except for staff damage
Member States must refrain from requesting reimbursement from other Member States for joint operation-related costs, exc
GDPR-62-10
Requirement
Comply with invitation obligation within one month
Supervisory authorities must comply with the obligation to invite other supervisory authorities to participate in joint
Article 63. Consistency mechanism
2 obligations
GDPR-63-01
Requirement
Supervisory authorities must cooperate with each other through consistency mechanism
Supervisory authorities must cooperate with each other through the consistency mechanism as set out in Section 2 of Chap
GDPR-63-02
Requirement
Supervisory authorities must cooperate with Commission when relevant
Supervisory authorities must cooperate with the European Commission, where relevant, through the consistency mechanism a
Article 64. Opinion of the Board
6 obligations
GDPR-64-01
Requirement
Board Must Issue Opinion on Specified Draft Decisions
The Board shall issue an opinion when a competent supervisory authority intends to adopt specific measures including DPI
GDPR-64-02
Requirement
Supervisory Authority Must Communicate Draft Decision to Board
The competent supervisory authority must communicate the draft decision to the Board when it intends to adopt any of the
GDPR-64-03
Requirement
Board Must Issue Opinion Within Eight Weeks
The Board must adopt its opinion within eight weeks by simple majority of the members, with possible extension of six we
GDPR-64-04
Requirement
Supervisory Authorities Must Communicate Information Without Undue Delay
Supervisory authorities and the Commission must communicate by electronic means to the Board, using a standardised forma
GDPR-64-05
Requirement
Board Chair Must Inform Members and Commission of Relevant Information
The Chair of the Board must inform by electronic means the members of the Board and the Commission of any relevant infor
GDPR-64-06
Requirement
Board Chair Must Inform Supervisory Authority of Opinion and Make Public
The Chair of the Board must inform the supervisory authority referred to in paragraphs 1 and 2, and the Commission of th