GDPR
General Data Protection Regulation (EU) 2016/679
- I. General Data Protection Regulation (GDPR)
- Ch. I — General Provisions
- Art. 1. Subject matter and objectives (1)
- Art. 2. Material scope (4)
- Art. 3. Territorial scope (4)
- Art. 4. Definitions (4)
- Ch. II — Principles
- Art. 5. Principles relating to processing of personal data (12)
- Art. 6. Lawfulness of processing (11)
- Art. 7. Conditions for consent (7)
- Art. 8. Conditions applicable to child's consent in relation to information society services (3)
- Art. 9. Processing of special categories of personal data (13)
- Art. 10. Processing of personal data relating to criminal convictions and offences (2)
- Art. 11. Processing which does not require identification (4)
- Ch. III — Rights of the Data Subject
- Art. 12. Transparent information, communication and modalities for the exercise of the rights of the data subject (16)
- Art. 13. Information to be provided where personal data are collected from the data subject (14)
- Art. 14. Information to be provided where personal data have not been obtained from the data subject (12)
- Art. 15. Right of access by the data subject (15)
- Art. 16. Right to rectification (2)
- Art. 17. Right to erasure (‘right to be forgotten’) (4)
- Art. 18. Right to restriction of processing (6)
- Art. 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing (2)
- Art. 20. Right to data portability (5)
- Art. 21. Right to object (5)
- Art. 22. making, including profiling (10)
- Art. 23. Restrictions (11)
- Ch. IV — Controller and Processor
- Art. 24. Responsibility of the controller (3)
- Art. 25. Data protection by design and by default (7)
- Art. 26. Joint controllers (5)
- Art. 27. Representatives of controllers or processors not established in the Union (3)
- Art. 28. Processor (15)
- Art. 29. Processing under the authority of the controller or processor (2)
- Art. 30. Records of processing activities (17)
- Art. 31. Cooperation with the supervisory authority (3)
- Art. 32. Security of processing (7)
- Art. 33. Notification of a personal data breach to the supervisory authority (10)
- Art. 34. Communication of a personal data breach to the data subject (7)
- Art. 35. Data protection impact assessment (17)
- Art. 36. Prior consultation (7)
- Art. 37. Designation of the data protection officer (6)
- Art. 38. Position of the data protection officer (8)
- Art. 39. Tasks of the data protection officer (6)
- Art. 40. Codes of conduct (15)
- Art. 41. Monitoring of approved codes of conduct (8)
- Art. 42. Certification (7)
- Art. 43. Certification bodies (12)
- Ch. V — Transfers of Personal Data to Third Countries or International Organisations
- Art. 44. General principle for transfers (2)
- Art. 45. Transfers on the basis of an adequacy decision (11)
- Art. 46. Transfers subject to appropriate safeguards (8)
- Art. 47. Binding corporate rules ref
- Art. 48. Transfers or disclosures not authorised by Union law (1)
- Art. 49. Derogations for specific situations (10)
- Art. 50. International cooperation for the protection of personal data (4)
- Ch. VI — Independent Supervisory Authorities
- Art. 51. Supervisory authority (6)
- Art. 52. Independence (9)
- Art. 53. General conditions for the members of the supervisory authority (4)
- Art. 54. Rules on the establishment of the supervisory authority (8)
- Art. 55. Competence (3)
- Art. 56. Competence of the lead supervisory authority (9)
- Art. 57. Tasks (26)
- Art. 58. Powers (14)
- Art. 59. Activity reports (3)
- Ch. VII — Cooperation and Consistency
- Art. 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned (21)
- Art. 61. Mutual assistance (9)
- Art. 62. Joint operations of supervisory authorities (10)
- Art. 63. Consistency mechanism (2)
- Art. 64. Opinion of the Board (9)
- Art. 65. Dispute resolution by the Board (12)
- Art. 66. Urgency procedure (5)
- Art. 67. Exchange of information (2)
- Art. 68. European Data Protection Board (3)
- Art. 69. Independence (3)
- Art. 70. Tasks of the Board ref
- Art. 71. Reports (7)
- Art. 72. Procedure (3)
- Art. 73. Chair (2)
- Art. 74. Tasks of the Chair (4)
- Art. 75. Secretariat (13)
- Art. 76. Confidentiality (2)
- Ch. VIII — Remedies, Liability and Penalties
- Art. 77. Right to lodge a complaint with a supervisory authority (2)
- Art. 78. Right to an effective judicial remedy against a supervisory authority (4)
- Art. 79. Right to an effective judicial remedy against a controller or processor (3)
- Art. 80. Representation of data subjects (3)
- Art. 81. Suspension of proceedings (3)
- Art. 82. Right to compensation and liability (6)
- Art. 83. General conditions for imposing administrative fines (8)
- Art. 84. Penalties (3)
- Ch. IX — Provisions Relating to Specific Processing Situations
- Art. 85. Processing and freedom of expression and information (4)
- Art. 86. Processing and public access to official documents (2)
- Art. 87. Processing of the national identification number (1)
- Art. 88. Processing in the context of employment (4)
- Art. 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (5)
- Art. 90. Obligations of secrecy (4)
- Art. 91. Existing data protection rules of churches and religious associations (2)
- Ch. X — Delegated Acts and Implementing Acts
- Art. 92. Exercise of the delegation (3)
- Art. 93. Committee procedure (3)
- Ch. XI — Final Provisions
- Art. 94. Repeal of Directive 95/46/EC (2)
- Art. 95. Relationship with Directive 2002/58/EC (1)
- Art. 96. Relationship with previously concluded Agreements (1)
- Art. 97. Commission reports (6)
- Art. 98. Review of other Union legal acts on data protection (2)
- Art. 99. Entry into force and application (1)
Documentation Obligations
32Title I — General Data Protection Regulation (GDPR)
Chapter I — General Provisions
Article 4. Definitions
1 obligation
Chapter II — Principles
Article 5. Principles relating to processing of personal data
1 obligation
Article 7. Conditions for consent
1 obligation
Article 11. Processing which does not require identification
1 obligation
Chapter III — Rights of the Data Subject
Chapter IV — Controller and Processor
Article 26. Joint controllers
1 obligation
Article 28. Processor
2 obligations
GDPR-28-04
Documentation
Establish binding contract with processor
Processing by a processor must be governed by a contract or other legal act under Union or Member State law that is bind
GDPR-28-15
Documentation
Maintain contracts in written form
The contract or other legal act referred to in paragraphs 3 and 4 must be in writing, including in electronic form.
Article 30. Records of processing activities
16 obligations
GDPR-30-01
Documentation
Controller must maintain record of processing activities
Each controller must maintain a comprehensive record of all processing activities under its responsibility, containing s
GDPR-30-02
Documentation
Controller's representative must maintain record of processing activities
Where applicable, the controller's representative must maintain a record of processing activities under the controller's
GDPR-30-03
Documentation
Controller record must contain contact details and organizational information
The controller's processing record must contain the name and contact details of the controller, joint controller (where
GDPR-30-04
Documentation
Controller record must contain purposes of processing
The controller's processing record must include the purposes for which personal data is being processed.
GDPR-30-05
Documentation
Controller record must describe data subjects and personal data categories
The controller's processing record must contain a description of the categories of data subjects and the categories of p
GDPR-30-06
Documentation
Controller record must list recipients of personal data
The controller's processing record must include the categories of recipients to whom personal data have been or will be
GDPR-30-07
Documentation
Controller record must document international transfers
Where applicable, the controller's processing record must document transfers of personal data to third countries or inte
GDPR-30-08
Documentation
Controller record must include data retention time limits
Where possible, the controller's processing record must include the envisaged time limits for erasure of different categ
GDPR-30-09
Documentation
Controller record must describe technical and organisational security measures
Where possible, the controller's processing record must include a general description of technical and organisational se
GDPR-30-10
Documentation
Processor must maintain record of processing activities
Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
GDPR-30-11
Documentation
Processor's representative must maintain record of processing activities
Where applicable, the processor's representative must maintain a record of all categories of processing activities carri
GDPR-30-12
Documentation
Processor record must contain contact details and organizational information
The processor's processing record must contain the name and contact details of the processor(s), each controller on whos
GDPR-30-13
Documentation
Processor record must list categories of processing activities
The processor's processing record must include the categories of processing carried out on behalf of each controller.
GDPR-30-14
Documentation
Processor record must document international transfers
Where applicable, the processor's processing record must document transfers of personal data to third countries or inter
GDPR-30-15
Documentation
Processor record must describe technical and organisational security measures
Where possible, the processor's processing record must include a general description of technical and organisational sec
GDPR-30-16
Documentation
Records must be maintained in written form
All processing activity records maintained by controllers and processors must be kept in writing, including in electroni
Article 33. Notification of a personal data breach to the supervisory authority
2 obligations
GDPR-33-09
Documentation
Document all personal data breaches
The controller must document any personal data breaches, comprising the facts relating to the personal data breach, its
GDPR-33-10
Documentation
Maintain breach documentation for supervisory authority verification
The breach documentation must enable the supervisory authority to verify compliance with Article 33.
Article 35. Data protection impact assessment
2 obligations
GDPR-35-11
Documentation
Include systematic description in DPIA
The DPIA must contain a systematic description of the envisaged processing operations and the purposes of processing, in
GDPR-35-12
Documentation
Assess necessity and proportionality in DPIA
The DPIA must contain an assessment of the necessity and proportionality of the processing operations in relation to the
Article 43. Certification bodies
1 obligation
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Article 49. Derogations for specific situations
1 obligation
Chapter VI — Independent Supervisory Authorities
Article 57. Tasks
2 obligations
GDPR-57-11
Documentation
Establish and maintain DPIA requirement list
Supervisory authorities must establish and maintain a list in relation to the requirement for data protection impact ass
GDPR-57-21
Documentation
Keep internal records of infringements and measures
Supervisory authorities must keep internal records of infringements of the GDPR and of measures taken in accordance with
Chapter VII — Cooperation and Consistency
Article 75. Secretariat
1 obligation