GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 26. Joint controllers
3 obligations
GDPR-26-03
Documentation
Reflect roles and relationships in arrangement
The joint controller arrangement must accurately reflect the respective roles and relationships of the joint controllers
GDPR-26-04
Transparency
Make arrangement essence available to data subjects
Joint controllers must make the essence (key elements) of their joint controller arrangement available to data subjects,
GDPR-26-05
Requirement
Accept data subject rights exercise against any joint controller
Each joint controller must be prepared to handle and respond to data subject rights requests directed at them individual
Article 27. Representatives of controllers or processors not established in the Union
3 obligations
GDPR-27-01
Registration
Designate representative in writing when Article 27(2) applies
Controllers or processors not established in the Union must designate in writing a representative in the Union when the
GDPR-27-02
Requirement
Establish representative in appropriate Member State
The designated representative must be established in one of the Member States where the data subjects whose personal dat
GDPR-27-03
Data Governance
Mandate representative to be addressed by authorities and data subjects
The representative must be mandated by the controller or processor to be addressed in addition to or instead of the cont
Article 28. Processor
15 obligations
GDPR-28-01
Data Governance
Use only processors with sufficient guarantees
Controllers must use only processors that provide sufficient guarantees to implement appropriate technical and organisat
GDPR-28-02
Requirement
Obtain authorization before engaging sub-processors
Processors must not engage another processor without prior specific or general written authorisation from the controller
GDPR-28-03
Transparency
Inform controller of intended sub-processor changes
In cases of general written authorisation, processors must inform the controller of any intended changes concerning addi
GDPR-28-04
Documentation
Establish binding contract with processor
Processing by a processor must be governed by a contract or other legal act under Union or Member State law that is bind
GDPR-28-05
Requirement
Process only on documented controller instructions
Processors must process personal data only on documented instructions from the controller, including regarding transfers
GDPR-28-06
Transparency
Inform controller of legal processing requirements
When required to process by Union or Member State law, processors must inform the controller of that legal requirement b
GDPR-28-07
Requirement
Ensure personnel confidentiality commitments
Processors must ensure that persons authorised to process personal data have committed themselves to confidentiality or
GDPR-28-08
Requirement
Assist controller with data subject rights requests
Processors must assist the controller by appropriate technical and organisational measures, insofar as possible, for ful
GDPR-28-09
Requirement
Assist controller with compliance obligations
Processors must assist the controller in ensuring compliance with obligations taking into account the nature of processi
GDPR-28-10
Requirement
Delete or return data after service end
At the controller's choice, processors must delete or return all personal data to the controller after the end of servic
GDPR-28-11
Transparency
Provide compliance information and audit access
Processors must make available to the controller all information necessary to demonstrate compliance with Article 28 obl
GDPR-28-12
Transparency
Inform controller of instruction infringements
Processors must immediately inform the controller if, in their opinion, an instruction infringes GDPR or other Union or
GDPR-28-13
Requirement
Impose same obligations on sub-processors
When engaging another processor for specific processing activities, processors must impose the same data protection obli
GDPR-28-14
Requirement
Remain liable for sub-processor obligations
Where another processor fails to fulfil its data protection obligations, the initial processor remains fully liable to t
GDPR-28-15
Documentation
Maintain contracts in written form
The contract or other legal act referred to in paragraphs 3 and 4 must be in writing, including in electronic form.
Article 29. Processing under the authority of the controller or processor
2 obligations
GDPR-29-01
Prohibition
Processor instruction compliance obligation
The processor must not process personal data except on instructions from the controller, unless required to do so by Uni
GDPR-29-02
Prohibition
Authorized persons instruction compliance obligation
Any person acting under the authority of the controller or processor who has access to personal data must not process th
Article 30. Records of processing activities
2 obligations
GDPR-30-01
Documentation
Controller must maintain record of processing activities
Each controller must maintain a comprehensive record of all processing activities under its responsibility, containing s
GDPR-30-02
Documentation
Controller's representative must maintain record of processing activities
Where applicable, the controller's representative must maintain a record of processing activities under the controller's