GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Chapter II — Principles
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 35. Data protection impact assessment
13 obligations
GDPR-35-05
Risk Management
Conduct DPIA for systematic large-scale public area monitoring
A DPIA is specifically required for systematic monitoring of a publicly accessible area on a large scale.
GDPR-35-06
Transparency
Establish and publish DPIA-required processing list
The supervisory authority must establish and make public a list of processing operations that require a data protection
GDPR-35-07
Reporting
Communicate DPIA-required list to Board
The supervisory authority must communicate the list of processing operations requiring DPIA to the Board.
GDPR-35-08
Transparency
Establish and publish DPIA-exempt processing list
The supervisory authority may establish and make public a list of processing operations for which no data protection imp
GDPR-35-09
Reporting
Communicate DPIA-exempt list to Board
The supervisory authority must communicate the list of processing operations exempt from DPIA to the Board.
GDPR-35-10
Data Governance
Apply consistency mechanism for cross-border lists
Prior to adopting DPIA lists, the supervisory authority must apply the consistency mechanism for processing activities r
GDPR-35-11
Documentation
Include systematic description in DPIA
The DPIA must contain a systematic description of the envisaged processing operations and the purposes of processing, in
GDPR-35-12
Documentation
Assess necessity and proportionality in DPIA
The DPIA must contain an assessment of the necessity and proportionality of the processing operations in relation to the
GDPR-35-13
Risk Management
Assess risks to data subjects in DPIA
The DPIA must contain an assessment of the risks to the rights and freedoms of data subjects.
GDPR-35-14
Risk Management
Document risk mitigation measures in DPIA
The DPIA must contain the measures envisaged to address the risks, including safeguards, security measures and mechanism
GDPR-35-15
Conformity
Consider code compliance in DPIA assessment
Compliance with approved codes of conduct by controllers or processors must be taken into due account when assessing the
GDPR-35-16
Transparency
Seek data subject views on intended processing
Where appropriate, the controller must seek the views of data subjects or their representatives on the intended processi
GDPR-35-17
Monitoring
Review DPIA when risk changes
Where necessary, the controller must carry out a review to assess if processing is performed in accordance with the data
Article 36. Prior consultation
7 obligations
GDPR-36-01
Risk Management
Consult supervisory authority before high-risk processing
The controller must consult the supervisory authority prior to processing where a data protection impact assessment indi
GDPR-36-02
Transparency
Provide controller and joint controller responsibilities information
When consulting the supervisory authority, the controller must provide information about the respective responsibilities
GDPR-36-03
Transparency
Provide purposes and means of intended processing
When consulting the supervisory authority, the controller must provide the purposes and means of the intended processing
GDPR-36-04
Transparency
Provide measures and safeguards for data subject rights protection
When consulting the supervisory authority, the controller must provide the measures and safeguards provided to protect t
GDPR-36-05
Transparency
Provide data protection officer contact details
When consulting the supervisory authority, the controller must provide the contact details of the data protection office
GDPR-36-06
Transparency
Provide data protection impact assessment
When consulting the supervisory authority, the controller must provide the data protection impact assessment.
GDPR-36-07
Transparency
Provide any other information requested by supervisory authority
When consulting the supervisory authority, the controller must provide any other information requested by the supervisor
Article 37. Designation of the data protection officer
5 obligations
GDPR-37-01
Data Governance
Designate DPO for public authorities
Controllers and processors that are public authorities or bodies (except courts in judicial capacity) must designate a d
GDPR-37-02
Data Governance
Designate DPO for large-scale systematic monitoring
Controllers and processors whose core activities involve regular and systematic monitoring of data subjects on a large s
GDPR-37-03
Data Governance
Designate DPO for large-scale special category data processing
Controllers and processors whose core activities involve large-scale processing of special categories of data or persona
GDPR-37-04
Data Governance
Ensure DPO accessibility for group companies
When a group of undertakings appoints a single data protection officer, they must ensure the DPO is easily accessible fr
GDPR-37-05
Data Governance
Designate DPO based on professional qualifications
The data protection officer must be designated based on professional qualities, particularly expert knowledge of data pr