GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 32. Security of processing
4 obligations
GDPR-32-04
Requirement
Implement timely data recovery capabilities
Controllers and processors must implement the ability to restore the availability and access to personal data in a timel
GDPR-32-05
Requirement
Regularly test and evaluate security measures effectiveness
Controllers and processors must establish a process for regularly testing, assessing and evaluating the effectiveness of
GDPR-32-06
Risk Management
Assess security risks in determining appropriate security level
Controllers and processors must assess the appropriate level of security taking into account risks from accidental or un
GDPR-32-07
Data Governance
Ensure personnel process data only on instructions or legal requirement
Controllers and processors must take steps to ensure that any natural person acting under their authority who has access
Article 33. Notification of a personal data breach to the supervisory authority
10 obligations
GDPR-33-01
Reporting
Notify supervisory authority of personal data breach within 72 hours
Controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feas
GDPR-33-02
Transparency
Provide reasons for delayed breach notification
When notification to the supervisory authority is not made within 72 hours, the controller must provide reasons for the
GDPR-33-03
Reporting
Processor must notify controller of personal data breach
The processor must notify the controller without undue delay after becoming aware of a personal data breach.
GDPR-33-04
Transparency
Describe nature of personal data breach in notification
The notification must describe the nature of the personal data breach including, where possible, the categories and appr
GDPR-33-05
Transparency
Provide contact details in breach notification
The notification must communicate the name and contact details of the data protection officer or other contact point whe
GDPR-33-06
Transparency
Describe likely consequences of breach in notification
The notification must describe the likely consequences of the personal data breach.
GDPR-33-07
Transparency
Describe remedial measures in breach notification
The notification must describe the measures taken or proposed to be taken by the controller to address the personal data
GDPR-33-08
Reporting
Provide breach information in phases if necessary
Where it is not possible to provide all required breach notification information at the same time, the information may b
GDPR-33-09
Documentation
Document all personal data breaches
The controller must document any personal data breaches, comprising the facts relating to the personal data breach, its
GDPR-33-10
Documentation
Maintain breach documentation for supervisory authority verification
The breach documentation must enable the supervisory authority to verify compliance with Article 33.
Article 34. Communication of a personal data breach to the data subject
7 obligations
GDPR-34-01
Reporting
Communicate personal data breach to data subject when high risk exists
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the contro
GDPR-34-02
Transparency
Describe breach nature in clear and plain language to data subjects
The communication to data subjects about a personal data breach must describe the nature of the breach in clear and plai
GDPR-34-03
Transparency
Include required information in data subject breach communications
Data subject breach communications must contain at least the information and measures referred to in points (b), (c) and
GDPR-34-04
Data Governance
Implement appropriate technical and organisational protection measures
Controllers may avoid the obligation to communicate breaches to data subjects if they have implemented appropriate techn
GDPR-34-05
Risk Management
Take subsequent measures to eliminate high risk
Controllers may avoid the obligation to communicate breaches to data subjects if they have taken subsequent measures tha
GDPR-34-06
Transparency
Provide public communication when individual notification involves disproportionate effort
When individual communication to data subjects would involve disproportionate effort, controllers must instead provide a
GDPR-34-07
Requirement
Comply with supervisory authority orders to communicate breach to data subjects
Controllers must communicate personal data breaches to data subjects when required to do so by the supervisory authority
Article 35. Data protection impact assessment
4 obligations
GDPR-35-01
Risk Management
Conduct DPIA for high-risk processing
Where processing using new technologies is likely to result in high risk to rights and freedoms of natural persons, the
GDPR-35-02
Human Oversight
Seek DPO advice when conducting DPIA
The controller must seek the advice of the data protection officer, where designated, when carrying out a data protectio
GDPR-35-03
Risk Management
Conduct DPIA for systematic automated evaluation with legal effects
A DPIA is specifically required for systematic and extensive evaluation of personal aspects based on automated processin
GDPR-35-04
Risk Management
Conduct DPIA for large-scale special category data processing
A DPIA is specifically required for processing on a large scale of special categories of data or personal data relating