GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 9. Processing of special categories of personal data
4 obligations
GDPR-9-01
Prohibition
Prohibition of Special Category Data Processing
Controllers must not process personal data revealing racial or ethnic origin, political opinions, religious or philosoph
GDPR-9-02
Requirement
Explicit Consent Requirement for Special Category Data
When relying on explicit consent as the lawful basis for processing special category data, controllers must obtain expli
GDPR-9-03
Requirement
Employment/Social Security Legal Authorization Requirement
When processing special category data for employment and social security purposes, controllers must ensure processing is
GDPR-9-04
Requirement
Vital Interests Processing Requirement
When processing special category data based on vital interests, controllers must ensure processing is necessary to prote
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Chapter VIII — Remedies, Liability and Penalties
Article 84. Penalties
1 obligation
Chapter IX — Provisions Relating to Specific Processing Situations
Article 85. Processing and freedom of expression and information
4 obligations
GDPR-85-01
Requirement
Reconcile data protection with freedom of expression rights
Member States must enact laws that reconcile the right to protection of personal data under GDPR with the right to freed
GDPR-85-02
Requirement
Provide exemptions/derogations for journalistic and expressive processing
Member States must provide exemptions or derogations from Chapters II, III, IV, V, VI, VII and IX for processing carried
GDPR-85-03
Reporting
Notify Commission of adopted provisions
Each Member State must notify the European Commission of the provisions of national law adopted pursuant to paragraph 2
GDPR-85-04
Reporting
Notify Commission of subsequent amendments without delay
Each Member State must notify the European Commission without delay of any subsequent amendment to the law or amendments
Article 86. Processing and public access to official documents
2 obligations
GDPR-86-01
Data Governance
Comply with applicable law when disclosing personal data in official documents
When disclosing personal data contained in official documents to reconcile public access rights with data protection rig
GDPR-86-02
Data Governance
Balance public access rights with data protection rights in disclosure decisions
When handling requests for access to official documents containing personal data, authorities and bodies must reconcile
Article 87. Processing of the national identification number
1 obligation
Article 88. Processing in the context of employment
4 obligations
GDPR-88-01
Requirement
Enact specific employment data protection rules
Member States must establish by law or collective agreements more specific rules to ensure protection of rights and free
GDPR-88-02
Requirement
Include human dignity safeguards in employment data rules
Member States must ensure that employment data protection rules include suitable and specific measures to safeguard the
GDPR-88-03
Reporting
Notify Commission of employment data protection laws by deadline
Each Member State must notify the Commission of the provisions of its law adopted pursuant to paragraph 1 by 25 May 2018
GDPR-88-04
Reporting
Report amendments to employment data protection laws without delay
Each Member State must notify the Commission without delay of any subsequent amendments to the employment data protectio
Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
5 obligations
GDPR-89-01
Data Governance
Implement appropriate safeguards for special purpose processing
Organizations must implement appropriate safeguards in accordance with GDPR for the rights and freedoms of data subjects
GDPR-89-02
Requirement
Ensure technical and organisational measures for data minimisation
Organizations must ensure that technical and organisational measures are in place to ensure respect for the principle of
GDPR-89-03
Data Governance
Use pseudonymisation where purposes can be fulfilled
Organizations may implement pseudonymisation as a safeguard measure provided that the archiving, research or statistical
GDPR-89-04
Requirement
Use non-identifying processing where purposes can be fulfilled
Organizations must use further processing that does not permit or no longer permits identification of data subjects wher
GDPR-89-05
Requirement
Apply derogations only to specified processing purposes
When processing serves multiple purposes simultaneously, organizations must ensure that derogations from data subject ri
Article 90. Obligations of secrecy
4 obligations
GDPR-90-01
Data Governance
Member States may adopt specific rules for supervisory authority powers re secrecy
Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and
GDPR-90-02
Requirement
Specific rules must apply only to personal data obtained under secrecy obligation
Any rules adopted by Member States under paragraph 1 shall apply only with regard to personal data which the controller
GDPR-90-03
Reporting
Member States must notify Commission of adopted secrecy rules by 25 May 2018
Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without
GDPR-90-04
Reporting
Member States must notify Commission of subsequent amendments without delay
Each Member State must notify the Commission without delay of any subsequent amendments to rules adopted pursuant to par