GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 3. Territorial scope
4 obligations
GDPR-3-01
Requirement
Comply with GDPR when processing personal data in EU establishment context
Controllers and processors with establishments in the EU must comply with GDPR requirements when processing personal dat
GDPR-3-02
Requirement
Comply with GDPR when offering goods/services to EU data subjects
Controllers and processors not established in the EU must comply with GDPR when processing personal data of EU data subj
GDPR-3-03
Requirement
Comply with GDPR when monitoring behavior of EU data subjects
Controllers and processors not established in the EU must comply with GDPR when processing personal data of EU data subj
GDPR-3-04
Requirement
Comply with GDPR in territories where EU Member State law applies
Controllers not established in the EU must comply with GDPR when processing personal data in places where EU Member Stat
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 30. Records of processing activities
15 obligations
GDPR-30-03
Documentation
Controller record must contain contact details and organizational information
The controller's processing record must contain the name and contact details of the controller, joint controller (where
GDPR-30-04
Documentation
Controller record must contain purposes of processing
The controller's processing record must include the purposes for which personal data is being processed.
GDPR-30-05
Documentation
Controller record must describe data subjects and personal data categories
The controller's processing record must contain a description of the categories of data subjects and the categories of p
GDPR-30-06
Documentation
Controller record must list recipients of personal data
The controller's processing record must include the categories of recipients to whom personal data have been or will be
GDPR-30-07
Documentation
Controller record must document international transfers
Where applicable, the controller's processing record must document transfers of personal data to third countries or inte
GDPR-30-08
Documentation
Controller record must include data retention time limits
Where possible, the controller's processing record must include the envisaged time limits for erasure of different categ
GDPR-30-09
Documentation
Controller record must describe technical and organisational security measures
Where possible, the controller's processing record must include a general description of technical and organisational se
GDPR-30-10
Documentation
Processor must maintain record of processing activities
Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
GDPR-30-11
Documentation
Processor's representative must maintain record of processing activities
Where applicable, the processor's representative must maintain a record of all categories of processing activities carri
GDPR-30-12
Documentation
Processor record must contain contact details and organizational information
The processor's processing record must contain the name and contact details of the processor(s), each controller on whos
GDPR-30-13
Documentation
Processor record must list categories of processing activities
The processor's processing record must include the categories of processing carried out on behalf of each controller.
GDPR-30-14
Documentation
Processor record must document international transfers
Where applicable, the processor's processing record must document transfers of personal data to third countries or inter
GDPR-30-15
Documentation
Processor record must describe technical and organisational security measures
Where possible, the processor's processing record must include a general description of technical and organisational sec
GDPR-30-16
Documentation
Records must be maintained in written form
All processing activity records maintained by controllers and processors must be kept in writing, including in electroni
GDPR-30-17
Reporting
Records must be made available to supervisory authority on request
Controllers, processors, and their representatives must make processing activity records available to the supervisory au
Article 31. Cooperation with the supervisory authority
3 obligations
GDPR-31-01
Requirement
Controller cooperation with supervisory authority
Controllers must cooperate with the supervisory authority when requested to do so in the performance of the authority's
GDPR-31-02
Requirement
Processor cooperation with supervisory authority
Processors must cooperate with the supervisory authority when requested to do so in the performance of the authority's t
GDPR-31-03
Requirement
Representative cooperation with supervisory authority
Representatives of controllers and processors must cooperate with the supervisory authority when requested to do so in t
Article 32. Security of processing
3 obligations
GDPR-32-01
Requirement
Implement appropriate technical and organisational security measures
Controllers and processors must implement appropriate technical and organisational measures to ensure a level of securit
GDPR-32-02
Requirement
Implement pseudonymisation and encryption where appropriate
Controllers and processors must implement pseudonymisation and encryption of personal data as appropriate security measu
GDPR-32-03
Requirement
Ensure ongoing confidentiality, integrity, availability and resilience
Controllers and processors must ensure the ongoing confidentiality, integrity, availability and resilience of processing