Article 1. Subject matter and objectives

1 obligation

GDPR-1-01 Prohibition

Ensure free movement of personal data within the Union

Organizations must not restrict or prohibit the free movement of personal data within the Union for reasons connected wi

Article 5. Principles relating to processing of personal data

1 obligation

GDPR-5-03 Prohibition

Prohibit incompatible further processing

Controllers are prohibited from further processing personal data in a manner incompatible with the original collection p

Article 6. Lawfulness of processing

1 obligation

GDPR-6-02 Prohibition

Prohibition on legitimate interests basis for public authorities

Public authorities performing their tasks are prohibited from using the legitimate interests lawful basis (point f) for

Article 9. Processing of special categories of personal data

1 obligation

GDPR-9-01 Prohibition

Prohibition of Special Category Data Processing

Controllers must not process personal data revealing racial or ethnic origin, political opinions, religious or philosoph

Article 11. Processing which does not require identification

1 obligation

GDPR-11-01 Prohibition

No obligation to maintain/acquire identification data for GDPR compliance alone

When processing purposes do not require identification of data subjects, controllers are not obligated to maintain, acqu

Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject

1 obligation

GDPR-12-05 Prohibition

Cannot refuse to act unless unable to identify data subject

In cases referred to in Article 11(2), controllers shall not refuse to act on requests for exercising rights under Artic

Article 18. Right to restriction of processing

1 obligation

GDPR-18-05 Prohibition

Limit processing of restricted data to specific purposes only

Controllers must ensure that when processing has been restricted, such personal data shall, with the exception of storag

Article 20. Right to data portability

1 obligation

GDPR-20-04 Prohibition

Exclude data portability for public interest or official authority tasks

Controllers must not apply data portability rights to processing that is necessary for the performance of a task carried

Article 22. making, including profiling

2 obligations

GDPR-22-01 Prohibition

Prohibition on Automated Decision-Making with Legal/Significant Effects

Data controllers must not subject data subjects to decisions based solely on automated processing, including profiling,

GDPR-22-09 Prohibition

Special Category Data Prohibition in Automated Decisions

Data controllers must not base automated decisions on special categories of personal data (as defined in Article 9(1)),

Article 23. Restrictions

1 obligation

GDPR-23-02 Prohibition

Limit restrictions to specified legitimate purposes only

Legislative restrictions on GDPR obligations and rights may only be implemented to safeguard specific enumerated purpose

Article 29. Processing under the authority of the controller or processor

2 obligations

GDPR-29-01 Prohibition

Processor instruction compliance obligation

The processor must not process personal data except on instructions from the controller, unless required to do so by Uni

GDPR-29-02 Prohibition

Authorized persons instruction compliance obligation

Any person acting under the authority of the controller or processor who has access to personal data must not process th

Article 38. Position of the data protection officer

1 obligation

GDPR-38-05 Prohibition

Prohibit dismissal or penalization of DPO

Controllers and processors shall not dismiss or penalise the data protection officer for performing their tasks.

Article 48. Transfers or disclosures not authorised by Union law

1 obligation

GDPR-48-01 Prohibition

Prohibition on recognizing unauthorized third country data transfer orders

Controllers and processors must not recognize or allow enforcement of any judgment of a court or tribunal or decision of

Article 49. Derogations for specific situations

1 obligation

GDPR-49-03 Prohibition

Limit public register transfers to relevant portions only

When transferring data from public registers, controllers must not transfer the entirety of personal data or entire cate

Article 52. Independence

3 obligations

GDPR-52-03 Prohibition

Prohibition on Seeking or Taking Instructions

Members of supervisory authorities are prohibited from seeking or taking instructions from anybody when performing their

GDPR-52-04 Prohibition

Prohibition on Incompatible Actions

Members of supervisory authorities must refrain from any action that is incompatible with their duties as supervisory au

GDPR-52-05 Prohibition

Prohibition on Incompatible Occupations During Term

Members of supervisory authorities are prohibited from engaging in any incompatible occupation, whether gainful or not,

Article 54. Rules on the establishment of the supervisory authority

2 obligations

GDPR-54-07 Prohibition

Maintain professional secrecy duty for supervisory authority members and staff

Supervisory authority members and staff must maintain professional secrecy during and after their term of office regardi

GDPR-54-08 Prohibition

Maintain secrecy regarding infringement reporting during term of office

Supervisory authority members and staff must maintain professional secrecy specifically regarding reporting by natural p

Article 55. Competence

1 obligation

GDPR-55-03 Prohibition

Prohibition on Supervising Judicial Processing

Supervisory authorities must not supervise processing operations of courts when they are acting in their judicial capaci

Article 58. Powers

2 obligations

GDPR-58-08 Prohibition

Comply with Processing Limitations or Bans

Controllers and processors must comply with temporary or definitive limitations, including bans on processing, imposed b

GDPR-58-10 Prohibition

Suspend Data Flows When Ordered

Controllers and processors must suspend data flows to recipients in third countries or international organizations when

Article 61. Mutual assistance

1 obligation

GDPR-61-09 Prohibition

Not charge fees for mutual assistance actions

Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a request for mutual a

Article 62. Joint operations of supervisory authorities

1 obligation

GDPR-62-09 Prohibition

Refrain from requesting reimbursement except for staff damage

Member States must refrain from requesting reimbursement from other Member States for joint operation-related costs, exc

Article 64. Opinion of the Board

1 obligation

GDPR-64-07 Prohibition

Supervisory Authority Prohibited from Adopting Draft Decision During Opinion Period

The competent supervisory authority must not adopt its draft decision within the period referred to in paragraph 3 (the

Article 65. Dispute resolution by the Board

1 obligation

GDPR-65-05 Prohibition

Supervisory authorities prohibited from deciding during Board consideration

Supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board during the per

Article 69. Independence

2 obligations

GDPR-69-02 Prohibition

Board Prohibition on Seeking Instructions

The European Data Protection Board shall not seek instructions from any external party when performing its tasks or exer

GDPR-69-03 Prohibition

Board Prohibition on Taking Instructions

The European Data Protection Board shall not take instructions from any external party when performing its tasks or exer

Article 95. Relationship with Directive 2002/58/EC

1 obligation

GDPR-95-01 Prohibition

No Additional GDPR Obligations for ePrivacy-Regulated Electronic Communications

Must not be subject to additional GDPR obligations beyond those already specified in Directive 2002/58/EC when processin