GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 7. Conditions for consent
7 obligations
GDPR-7-01
Documentation
Demonstrate data subject consent
The controller must be able to demonstrate that the data subject has consented to processing of his or her personal data
GDPR-7-02
Requirement
Present consent request in distinguishable manner
When consent is requested in a written declaration that also concerns other matters, the request for consent must be pre
GDPR-7-03
Requirement
Use intelligible and easily accessible form for consent
When consent is requested in a written declaration that also concerns other matters, the request must be in an intelligi
GDPR-7-04
Requirement
Use clear and plain language for consent
When consent is requested in a written declaration that also concerns other matters, the request must use clear and plai
GDPR-7-05
Transparency
Inform data subject of right to withdraw consent
Prior to giving consent, the data subject must be informed that they have the right to withdraw their consent at any tim
GDPR-7-06
Requirement
Make withdrawal as easy as giving consent
The mechanism for withdrawing consent must be as easy to use as the mechanism for giving consent.
GDPR-7-07
Risk Management
Assess whether consent is freely given considering contract conditioning
When assessing whether consent is freely given, controllers must take utmost account of whether the performance of a con
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Article 69. Independence
3 obligations
GDPR-69-01
Requirement
Board Must Act Independently in Task Performance
The European Data Protection Board shall act independently when performing its tasks or exercising its powers pursuant t
GDPR-69-02
Prohibition
Board Prohibition on Seeking Instructions
The European Data Protection Board shall not seek instructions from any external party when performing its tasks or exer
GDPR-69-03
Prohibition
Board Prohibition on Taking Instructions
The European Data Protection Board shall not take instructions from any external party when performing its tasks or exer
Article 71. Reports
7 obligations
GDPR-71-01
Reporting
Draw up annual report on data protection
The Board must prepare an annual report regarding the protection of natural persons with regard to processing in the Uni
GDPR-71-02
Transparency
Make annual report public
The Board must make the annual report publicly available.
GDPR-71-03
Reporting
Transmit annual report to European Parliament
The Board must transmit the annual report to the European Parliament.
GDPR-71-04
Reporting
Transmit annual report to the Council
The Board must transmit the annual report to the Council.
GDPR-71-05
Reporting
Transmit annual report to the Commission
The Board must transmit the annual report to the Commission.
GDPR-71-06
Reporting
Include review of guidelines, recommendations and best practices in annual report
The annual report must include a review of the practical application of the guidelines, recommendations and best practic
GDPR-71-07
Reporting
Include review of binding decisions in annual report
The annual report must include a review of the binding decisions (referenced but not fully specified in the article text
Article 72. Procedure
3 obligations
GDPR-72-01
Data Governance
Board Decision-Making by Simple Majority
The European Data Protection Board must make decisions using a simple majority vote of its members, unless this Regulati
GDPR-72-02
Data Governance
Board Rules of Procedure Adoption
The European Data Protection Board must adopt its own rules of procedure, requiring a two-thirds majority vote of its me
GDPR-72-03
Data Governance
Board Operational Arrangements Organization
The European Data Protection Board must organize its own operational arrangements to facilitate its functioning and oper
Article 73. Chair
2 obligations
GDPR-73-01
Requirement
Board Must Elect Chair and Deputy Chairs by Simple Majority
The Board must elect a chair and two deputy chairs from amongst its members using a simple majority voting process.
GDPR-73-02
Requirement
Chair and Deputy Chairs Must Serve Five-Year Terms
The Chair and deputy chairs must serve terms of office lasting five years, with the possibility of one renewal.
Article 74. Tasks of the Chair
3 obligations
GDPR-74-01
Requirement
Convene Board meetings and prepare agenda
The Chair must convene meetings of the Board and prepare the agenda for such meetings.
GDPR-74-02
Requirement
Notify Board decisions to supervisory authorities
The Chair must notify decisions adopted by the Board pursuant to consistency mechanism to the lead supervisory authority
GDPR-74-03
Requirement
Ensure timely performance of Board tasks
The Chair must ensure the timely performance of the tasks of the Board, in particular in relation to the consistency mec