GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Article 15. Right of access by the data subject
14 obligations
GDPR-15-02
Transparency
Provide access to personal data and processing information
When personal data is being processed, controllers must provide access to the personal data and all specified informatio
GDPR-15-03
Transparency
Disclose purposes of processing
Controllers must inform data subjects of the purposes for which their personal data is being processed when responding t
GDPR-15-04
Transparency
Disclose categories of personal data
Controllers must inform data subjects of the categories of personal data being processed concerning them when responding
GDPR-15-05
Transparency
Disclose recipients of personal data
Controllers must inform data subjects of the recipients or categories of recipients to whom personal data have been or w
GDPR-15-06
Transparency
Disclose data retention period or criteria
Controllers must inform data subjects of the envisaged storage period for personal data, or if not possible, the criteri
GDPR-15-07
Transparency
Inform about data subject rights
Controllers must inform data subjects about their rights to request rectification, erasure, restriction of processing, o
GDPR-15-08
Transparency
Inform about complaint rights
Controllers must inform data subjects of their right to lodge a complaint with a supervisory authority.
GDPR-15-09
Transparency
Disclose data source information
When personal data was not collected from the data subject, controllers must provide any available information about the
GDPR-15-10
Transparency
Disclose automated decision-making information
Controllers must inform data subjects about the existence of automated decision-making including profiling, and provide
GDPR-15-11
Transparency
Inform about international transfer safeguards
When personal data are transferred to third countries or international organisations, controllers must inform data subje
GDPR-15-12
Transparency
Provide copy of personal data
Controllers must provide a copy of the personal data undergoing processing to data subjects upon request.
GDPR-15-13
Data Governance
Charge reasonable fees for additional copies
Controllers may charge a reasonable fee based on administrative costs for any additional copies of personal data request
GDPR-15-14
Requirement
Provide information in electronic form when requested electronically
When data subjects make access requests by electronic means, controllers must provide the information in a commonly used
GDPR-15-15
Data Governance
Protect rights and freedoms of others when providing data copies
Controllers must ensure that providing copies of personal data to data subjects does not adversely affect the rights and
Article 16. Right to rectification
2 obligations
GDPR-16-01
Requirement
Provide rectification of inaccurate personal data without undue delay
Controllers must rectify inaccurate personal data concerning a data subject without undue delay when requested by the da
GDPR-16-02
Requirement
Complete incomplete personal data upon request
Controllers must allow data subjects to have incomplete personal data completed, taking into account the purposes of the
Article 17. Right to erasure (‘right to be forgotten’)
4 obligations
GDPR-17-01
Requirement
Erase personal data without undue delay when grounds apply
Controller must erase personal data without undue delay when any of the specified grounds apply: data no longer necessar
GDPR-17-02
Requirement
Take reasonable steps to inform other controllers of erasure requests
When controller has made personal data public and must erase it, controller must take reasonable steps including technic
GDPR-17-03
Requirement
Consider available technology and implementation costs in erasure measures
When taking steps to inform other controllers about erasure requests for public data, controller must take into account
GDPR-17-04
Requirement
Apply erasure exceptions when processing is necessary for specified purposes
Controller must not apply erasure obligations when processing is necessary for: freedom of expression, legal compliance,
Article 18. Right to restriction of processing
5 obligations
GDPR-18-01
Requirement
Provide restriction of processing when accuracy is contested
Controllers must restrict processing of personal data when the data subject contests the accuracy of the personal data,
GDPR-18-02
Requirement
Provide restriction of processing when processing is unlawful and erasure opposed
Controllers must restrict processing of personal data when the processing is unlawful and the data subject opposes the e
GDPR-18-03
Requirement
Provide restriction of processing when data no longer needed but required for legal claims
Controllers must restrict processing of personal data when the controller no longer needs the personal data for the purp
GDPR-18-04
Requirement
Provide restriction of processing when objection is pending verification
Controllers must restrict processing of personal data when the data subject has objected to processing pursuant to Artic
GDPR-18-05
Prohibition
Limit processing of restricted data to specific purposes only
Controllers must ensure that when processing has been restricted, such personal data shall, with the exception of storag