GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Article 9. Processing of special categories of personal data
9 obligations
GDPR-9-05
Requirement
Not-for-Profit Body Processing Requirements
Not-for-profit bodies with political, philosophical, religious or trade union aims must ensure processing is carried out
GDPR-9-06
Requirement
Manifestly Public Data Verification Requirement
Controllers processing special category data that has been made manifestly public must verify that the data was indeed m
GDPR-9-07
Requirement
Legal Claims Processing Necessity Requirement
Controllers must ensure that processing of special category data is necessary for the establishment, exercise or defence
GDPR-9-08
Requirement
Substantial Public Interest Legal Basis Requirements
Controllers processing special category data for substantial public interest must ensure it is based on Union or Member
GDPR-9-09
Requirement
Healthcare Processing Legal Basis and Safeguards Requirement
Controllers processing special category data for healthcare purposes must ensure processing is based on Union or Member
GDPR-9-10
Requirement
Public Health Processing Legal Framework Requirement
Controllers processing special category data for public health purposes must ensure processing is based on Union or Memb
GDPR-9-11
Requirement
Archiving and Research Processing Legal Requirements
Controllers processing special category data for archiving, scientific or historical research, or statistical purposes m
GDPR-9-12
Requirement
Professional Secrecy Requirement for Healthcare Data Processing
When processing special category data for healthcare purposes, controllers must ensure data are processed by or under re
GDPR-9-13
Requirement
Member State Additional Conditions Authority
Member States may maintain or introduce further conditions, including limitations, with regard to the processing of gene
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Chapter VI — Independent Supervisory Authorities
Chapter VII — Cooperation and Consistency
Chapter VIII — Remedies, Liability and Penalties
Chapter IX — Provisions Relating to Specific Processing Situations
Article 91. Existing data protection rules of churches and religious associations
2 obligations
GDPR-91-01
Conformity
Align existing religious data protection rules with GDPR
Churches and religious associations that apply comprehensive data protection rules existing at GDPR entry into force mus
GDPR-91-02
Data Governance
Submit to independent supervisory authority supervision
Churches and religious associations applying comprehensive rules under paragraph 1 must be subject to supervision by an
Chapter X — Delegated Acts and Implementing Acts
Article 92. Exercise of the delegation
3 obligations
GDPR-92-01
Reporting
Commission notification of delegated acts
The Commission must simultaneously notify the European Parliament and Council as soon as it adopts any delegated act und
GDPR-92-02
Requirement
Three-month objection period compliance
The Commission must ensure delegated acts only enter into force if no objection is expressed by the European Parliament
GDPR-92-03
Requirement
Extended objection period compliance
The Commission must comply with extended objection periods when the three-month period is extended by an additional thre
Article 93. Committee procedure
3 obligations
GDPR-93-01
Data Governance
Commission committee assistance requirement
The European Commission must be assisted by a committee in carrying out functions under this regulation, which operates
GDPR-93-02
Conformity
Article 5 procedure compliance when referenced
When Article 93(2) is referenced in other provisions, the Commission must apply Article 5 of Regulation (EU) No 182/2011
GDPR-93-03
Conformity
Article 8 procedure compliance when referenced
When Article 93(3) is referenced in other provisions, the Commission must apply Article 8 of Regulation (EU) No 182/2011
Chapter XI — Final Provisions
Article 94. Repeal of Directive 95/46/EC
2 obligations
GDPR-94-01
Conformity
Treat references to repealed Directive as references to GDPR
All references to Directive 95/46/EC must be construed and interpreted as references to this Regulation (GDPR) instead.
GDPR-94-02
Conformity
Treat Working Party references as European Data Protection Board references
All references to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data esta
Article 95. Relationship with Directive 2002/58/EC
1 obligation
Article 96. Relationship with previously concluded Agreements
1 obligation
Article 97. Commission reports
4 obligations
GDPR-97-01
Reporting
Submit quadrennial GDPR evaluation reports to Parliament and Council
The Commission must submit a report on the evaluation and review of the GDPR to the European Parliament and to the Counc
GDPR-97-02
Transparency
Make GDPR evaluation reports public
The Commission must make the evaluation and review reports submitted to Parliament and Council publicly available.
GDPR-97-03
Monitoring
Examine Chapter V data transfer provisions in evaluations
The Commission must examine the application and functioning of Chapter V on transfer of personal data to third countries
GDPR-97-04
Monitoring
Examine Chapter VII cooperation and consistency provisions in evaluations
The Commission must examine the application and functioning of Chapter VII on cooperation and consistency as part of the