GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Article 13. Information to be provided where personal data are collected from the data subject
12 obligations
GDPR-13-03
Transparency
Provide purposes and legal basis for processing
The controller must provide the data subject with information about the purposes of the processing for which the persona
GDPR-13-04
Transparency
Provide legitimate interests information
Where processing is based on legitimate interests (Article 6(1)(f)), the controller must provide information about the l
GDPR-13-05
Transparency
Provide recipients information
The controller must provide the data subject with information about the recipients or categories of recipients of the pe
GDPR-13-06
Transparency
Provide international transfer information
Where applicable, the controller must inform the data subject about intended transfers of personal data to third countri
GDPR-13-07
Transparency
Provide data retention period information
The controller must provide the data subject with information about the period for which the personal data will be store
GDPR-13-08
Transparency
Provide data subject rights information
The controller must inform the data subject about the existence of their rights to request access, rectification, erasur
GDPR-13-09
Transparency
Provide consent withdrawal information
Where processing is based on consent, the controller must inform the data subject about the existence of the right to wi
GDPR-13-10
Transparency
Provide complaint rights information
The controller must inform the data subject about their right to lodge a complaint with a supervisory authority.
GDPR-13-11
Transparency
Provide data provision requirement information
The controller must inform the data subject whether the provision of personal data is a statutory or contractual require
GDPR-13-12
Transparency
Provide automated decision-making information
The controller must inform the data subject about the existence of automated decision-making, including profiling, and p
GDPR-13-13
Transparency
Provide information before further processing for new purpose
Where the controller intends to further process the personal data for a purpose other than that for which the personal d
GDPR-13-14
Requirement
Provide information at time of data collection
The controller must provide all required information to the data subject at the time when personal data are obtained fro
Article 14. Information to be provided where personal data have not been obtained from the data subject
12 obligations
GDPR-14-01
Transparency
Provide controller identity and contact details
The controller must provide the data subject with the identity and contact details of the controller and, where applicab
GDPR-14-02
Transparency
Provide DPO contact details when applicable
The controller must provide the data subject with the contact details of the data protection officer, where applicable,
GDPR-14-03
Transparency
Provide processing purposes and legal basis information
The controller must provide the data subject with the purposes of the processing for which the personal data are intende
GDPR-14-04
Transparency
Provide categories of personal data information
The controller must provide the data subject with the categories of personal data concerned when personal data have not
GDPR-14-05
Transparency
Provide recipients information when applicable
The controller must provide the data subject with the recipients or categories of recipients of the personal data, if an
GDPR-14-06
Transparency
Provide international transfer information when applicable
The controller must provide information about intended transfers to third countries or international organizations, incl
GDPR-14-07
Transparency
Provide additional fair processing information
The controller must provide the data subject with additional information necessary to ensure fair and transparent proces
GDPR-14-08
Requirement
Comply with timing requirements for information provision
The controller must provide the required information within a reasonable period after obtaining the personal data, but a
GDPR-14-09
Requirement
Provide information at first communication when data used for communication
The controller must provide the required information at the latest at the time of the first communication to the data su
GDPR-14-10
Requirement
Provide information before first disclosure to another recipient
The controller must provide the required information at the latest when the personal data are first disclosed if a discl
GDPR-14-11
Transparency
Provide information before further processing for different purpose
The controller must provide the data subject prior to further processing with information on the other purpose and any r
GDPR-14-12
Data Governance
Take appropriate measures when information provision involves disproportionate effort
The controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests
Article 15. Right of access by the data subject
1 obligation