GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 8. Conditions applicable to child's consent in relation to information society services
3 obligations
GDPR-8-01
Requirement
Age-based lawful processing for information society services
When offering information society services directly to a child, process personal data lawfully only if the child is at l
GDPR-8-02
Requirement
Parental consent requirement for children under 16
For children below 16 years (or lower age set by Member State), process personal data only if and to the extent that con
GDPR-8-03
Requirement
Reasonable efforts to verify parental consent
Make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Chapter VIII — Remedies, Liability and Penalties
Article 80. Representation of data subjects
3 obligations
GDPR-80-01
Data Governance
Recognize data subject right to mandate not-for-profit representative
Data controllers and processors must recognize and respect the data subject's right to mandate a qualifying not-for-prof
GDPR-80-02
Data Governance
Allow Member States to provide independent complaint rights to qualifying bodies
Member States may establish legal frameworks allowing qualifying not-for-profit bodies to lodge complaints with supervis
GDPR-80-03
Data Governance
Accept complaints from independent qualifying representative bodies
Where Member State law provides for it, supervisory authorities must accept and process complaints lodged by qualifying
Article 81. Suspension of proceedings
3 obligations
GDPR-81-01
Requirement
Contact court to confirm parallel proceedings
When a competent court has information about proceedings concerning the same subject matter regarding processing by the
GDPR-81-02
Requirement
Authority to suspend parallel proceedings
Any competent court other than the court first seized may suspend its proceedings where proceedings concerning the same
GDPR-81-03
Requirement
Authority to decline jurisdiction at first instance
Where proceedings are pending at first instance, any court other than the court first seized may decline jurisdiction up
Article 82. Right to compensation and liability
6 obligations
GDPR-82-01
Requirement
Provide compensation to data subjects for damages from GDPR infringements
Controllers and processors must provide compensation to any person who has suffered material or non-material damage as a
GDPR-82-02
Requirement
Controller liability for damages from processing infringements
Any controller involved in processing shall be liable for damage caused by processing which infringes the GDPR and must
GDPR-82-03
Requirement
Processor liability for specific infringements and unauthorized actions
A processor shall be liable for damage caused by processing only where it has not complied with GDPR obligations specifi
GDPR-82-04
Requirement
Prove absence of responsibility to claim exemption from liability
A controller or processor must prove that it is not in any way responsible for the event giving rise to damage in order
GDPR-82-05
Requirement
Joint and several liability for full damage compensation
Where multiple controllers or processors are involved in the same processing and are responsible for damage, each contro
GDPR-82-06
Requirement
Right to claim proportional reimbursement from co-responsible parties
Where a controller or processor has paid full compensation for damage, that party shall be entitled to claim back from o
Article 83. General conditions for imposing administrative fines
8 obligations
GDPR-83-01
Requirement
Ensure administrative fines are effective, proportionate and dissuasive
Each supervisory authority must ensure that administrative fines imposed for GDPR infringements are effective, proportio
GDPR-83-02
Requirement
Consider specified factors when deciding on administrative fines
When deciding whether to impose an administrative fine and determining the amount, supervisory authorities must give due
GDPR-83-03
Requirement
Apply maximum fine cap for multiple linked infringements
When a controller or processor intentionally or negligently infringes several GDPR provisions for the same or linked pro
GDPR-83-04
Requirement
Apply appropriate procedural safeguards for administrative fines
Supervisory authorities must ensure that the exercise of their administrative fine powers is subject to appropriate proc
GDPR-83-05
Requirement
Establish rules for administrative fines on public authorities
Each Member State may establish rules determining whether and to what extent administrative fines may be imposed on publ
GDPR-83-06
Requirement
Adapt administrative fine procedures for non-administrative fine legal systems
Where a Member State's legal system does not provide for administrative fines, they may apply this Article so that fines
GDPR-83-07
Requirement
Ensure alternative fines remain effective, proportionate and dissuasive
Member States using alternative fine procedures must ensure that the fines imposed are effective, proportionate and diss
GDPR-83-08
Reporting
Notify Commission of alternative fine procedure laws
Member States using alternative fine procedures must notify the Commission of their adopted laws by 25 May 2018 and prom
Article 84. Penalties
2 obligations
GDPR-84-01
Requirement
Establish rules on other penalties for GDPR infringements
Member States must lay down rules on penalties applicable to infringements of the GDPR, particularly for infringements n
GDPR-84-02
Requirement
Ensure penalties are effective, proportionate and dissuasive
Member States must ensure that the penalties they establish for GDPR infringements meet the standards of being effective