GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 2. Material scope
4 obligations
GDPR-2-01
Requirement
Apply GDPR to automated personal data processing
Organizations must apply GDPR requirements when processing personal data wholly or partly by automated means
GDPR-2-02
Requirement
Apply GDPR to non-automated filing system personal data processing
Organizations must apply GDPR requirements when processing personal data by non-automated means if the data forms part o
GDPR-2-03
Requirement
Exclude purely personal or household activities from GDPR compliance
Natural persons conducting purely personal or household activities are not required to comply with GDPR obligations for
GDPR-2-04
Requirement
Union institutions must adapt existing regulations to GDPR principles
Union institutions, bodies, offices and agencies must ensure that Regulation (EC) No 45/2001 and other applicable Union
Chapter II — Principles
Chapter III — Rights of the Data Subject
Article 18. Right to restriction of processing
1 obligation
Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
2 obligations
GDPR-19-01
Requirement
Communicate rectification/erasure/restriction to recipients
The controller must communicate any rectification or erasure of personal data or restriction of processing to each recip
GDPR-19-02
Transparency
Inform data subject about recipients upon request
The controller must inform the data subject about the recipients who were notified of rectification, erasure, or restric
Article 20. Right to data portability
5 obligations
GDPR-20-01
Requirement
Provide personal data in structured, machine-readable format
Controllers must provide personal data concerning the data subject, which the data subject has provided to the controlle
GDPR-20-02
Requirement
Enable data transmission to another controller without hindrance
Controllers must allow data subjects to transmit their personal data to another controller without creating obstacles or
GDPR-20-03
Requirement
Enable direct data transmission between controllers when technically feasible
Controllers must facilitate direct transmission of personal data from one controller to another when requested by the da
GDPR-20-04
Prohibition
Exclude data portability for public interest or official authority tasks
Controllers must not apply data portability rights to processing that is necessary for the performance of a task carried
GDPR-20-05
Requirement
Ensure data portability does not adversely affect others' rights and freedoms
Controllers must ensure that exercising data portability rights does not negatively impact the rights and freedoms of ot
Article 21. Right to object
5 obligations
GDPR-21-01
Requirement
Cease processing upon data subject objection (legitimate interests)
When a data subject objects to processing based on legitimate interests (Article 6(1)(e) or (f)) on grounds relating to
GDPR-21-02
Requirement
Cease processing upon objection to direct marketing
When a data subject objects to processing for direct marketing purposes, the controller must immediately cease processin
GDPR-21-03
Transparency
Inform data subjects of right to object at first communication
Controllers must explicitly bring the right to object (for legitimate interests and direct marketing) to the data subjec
GDPR-21-04
Requirement
Provide automated means for objection in information society services
In the context of information society services, controllers must enable data subjects to exercise their right to object
GDPR-21-05
Requirement
Cease research processing upon objection (unless public interest)
When a data subject objects to processing for scientific, historical research or statistical purposes on grounds relatin
Article 22. making, including profiling
8 obligations
GDPR-22-01
Prohibition
Prohibition on Automated Decision-Making with Legal/Significant Effects
Data controllers must not subject data subjects to decisions based solely on automated processing, including profiling,
GDPR-22-02
Data Governance
Contract Necessity Exception Compliance
When automated decision-making is necessary for entering into or performing a contract with the data subject, data contr
GDPR-22-03
Conformity
Legal Authorization Exception Compliance
When automated decision-making is authorized by Union or Member State law, data controllers must ensure compliance with
GDPR-22-04
Data Governance
Explicit Consent Exception Compliance
When automated decision-making is based on the data subject's explicit consent, data controllers must obtain and documen
GDPR-22-05
Human Oversight
Safeguarding Measures for Contract and Consent Cases
Data controllers must implement suitable measures to safeguard data subjects' rights, freedoms and legitimate interests
GDPR-22-06
Human Oversight
Human Intervention Right Implementation
Data controllers must provide data subjects with the right to obtain human intervention when automated decision-making i
GDPR-22-07
Human Oversight
Right to Express Views Implementation
Data controllers must provide data subjects with the right to express their point of view regarding automated decisions
GDPR-22-08
Human Oversight
Right to Contest Decision Implementation
Data controllers must provide data subjects with the right to contest automated decisions when such decisions are based