GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Article 22. making, including profiling
2 obligations
GDPR-22-09
Prohibition
Special Category Data Prohibition in Automated Decisions
Data controllers must not base automated decisions on special categories of personal data (as defined in Article 9(1)),
GDPR-22-10
Data Governance
Special Safeguards for Special Category Data in Automated Decisions
When automated decisions involve special categories of personal data under Article 9(2)(a) or 9(2)(g) exceptions, data c
Article 23. Restrictions
11 obligations
GDPR-23-01
Requirement
Ensure legislative restrictions respect fundamental rights essence
When implementing legislative measures that restrict GDPR obligations and rights, ensure such restrictions respect the e
GDPR-23-02
Prohibition
Limit restrictions to specified legitimate purposes only
Legislative restrictions on GDPR obligations and rights may only be implemented to safeguard specific enumerated purpose
GDPR-23-03
Requirement
Include specific provisions on processing purposes in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the purposes of the proc
GDPR-23-04
Requirement
Specify categories of personal data in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the categories of person
GDPR-23-05
Requirement
Define scope of restrictions in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the scope of the restric
GDPR-23-06
Requirement
Establish safeguards against abuse in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding safeguards to prevent ab
GDPR-23-07
Requirement
Specify controllers in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the specification of the
GDPR-23-08
Requirement
Define storage periods and safeguards in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding storage periods and appl
GDPR-23-09
Requirement
Address risks to data subject rights in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the risks to the rights
GDPR-23-10
Requirement
Address data subject notification rights in legislative measures
Any legislative measure restricting GDPR obligations must contain specific provisions regarding the right of data subjec
GDPR-23-11
Requirement
Comply with legislative restrictions when subject to such measures
Data controllers and processors must comply with Union or Member State legislative measures that restrict the scope of G
Chapter IV — Controller and Processor
Article 24. Responsibility of the controller
3 obligations
GDPR-24-01
Risk Management
Implement appropriate technical and organisational measures for GDPR compliance
Controllers must implement appropriate technical and organisational measures to ensure and demonstrate that data process
GDPR-24-02
Monitoring
Review and update compliance measures when necessary
Controllers must review and update their technical and organisational measures for GDPR compliance where necessary to ma
GDPR-24-03
Data Governance
Implement appropriate data protection policies
Controllers must implement appropriate data protection policies where proportionate in relation to their processing acti
Article 25. Data protection by design and by default
7 obligations
GDPR-25-01
Requirement
Implement data protection by design measures
Controllers must implement appropriate technical and organisational measures (such as pseudonymisation) at the time of d
GDPR-25-02
Requirement
Implement data protection by default measures for data necessity
Controllers must implement appropriate technical and organisational measures to ensure that by default only personal dat
GDPR-25-03
Data Governance
Apply default protection to data collection amount
The data protection by default obligation specifically applies to limiting the amount of personal data collected to what
GDPR-25-04
Data Governance
Apply default protection to processing extent
The data protection by default obligation specifically applies to limiting the extent of personal data processing to wha
GDPR-25-05
Data Governance
Apply default protection to storage period
The data protection by default obligation specifically applies to limiting the period of personal data storage to what i
GDPR-25-06
Data Governance
Apply default protection to data accessibility
The data protection by default obligation specifically applies to limiting the accessibility of personal data to what is
GDPR-25-07
Requirement
Ensure default non-accessibility without individual intervention
Controllers must ensure that by default personal data are not made accessible to an indefinite number of natural persons
Article 26. Joint controllers
2 obligations
GDPR-26-01
Data Governance
Determine joint controllership transparently
When two or more controllers jointly determine the purposes and means of processing, they must transparently determine t
GDPR-26-02
Data Governance
Designate contact point for data subjects (optional)
Joint controllers may designate a contact point for data subjects in their arrangement to facilitate communication and e