Article 2. Material scope

4 obligations

GDPR-2-01 Requirement

Apply GDPR to automated personal data processing

Organizations must apply GDPR requirements when processing personal data wholly or partly by automated means

GDPR-2-02 Requirement

Apply GDPR to non-automated filing system personal data processing

Organizations must apply GDPR requirements when processing personal data by non-automated means if the data forms part o

GDPR-2-03 Requirement

Exclude purely personal or household activities from GDPR compliance

Natural persons conducting purely personal or household activities are not required to comply with GDPR obligations for

GDPR-2-04 Requirement

Union institutions must adapt existing regulations to GDPR principles

Union institutions, bodies, offices and agencies must ensure that Regulation (EC) No 45/2001 and other applicable Union

Article 3. Territorial scope

4 obligations

GDPR-3-01 Requirement

Comply with GDPR when processing personal data in EU establishment context

Controllers and processors with establishments in the EU must comply with GDPR requirements when processing personal dat

GDPR-3-02 Requirement

Comply with GDPR when offering goods/services to EU data subjects

Controllers and processors not established in the EU must comply with GDPR when processing personal data of EU data subj

GDPR-3-03 Requirement

Comply with GDPR when monitoring behavior of EU data subjects

Controllers and processors not established in the EU must comply with GDPR when processing personal data of EU data subj

GDPR-3-04 Requirement

Comply with GDPR in territories where EU Member State law applies

Controllers not established in the EU must comply with GDPR when processing personal data in places where EU Member Stat

Article 4. Definitions

2 obligations

GDPR-4-02 Requirement

Public Authority Data Protection Rules Compliance

Public authorities that receive personal data in the framework of a particular inquiry must process those data in compli

GDPR-4-04 Requirement

Member State Supervisory Authority Establishment

Member States must establish an independent public supervisory authority in accordance with the referenced provisions of

Article 5. Principles relating to processing of personal data

9 obligations

GDPR-5-01 Requirement

Process personal data lawfully, fairly and transparently

Data controllers must ensure all processing of personal data is conducted in accordance with legal grounds, in a fair ma

GDPR-5-02 Requirement

Collect data for specified, explicit and legitimate purposes only

Personal data must be collected only for purposes that are clearly specified, explicitly stated, and legitimate. Control

GDPR-5-05 Requirement

Maintain data accuracy and currency

Controllers must ensure personal data is accurate and, where necessary, kept up to date relative to the processing purpo

GDPR-5-06 Requirement

Take reasonable steps to erase or rectify inaccurate data

Controllers must take every reasonable step to ensure inaccurate personal data is erased or rectified without delay, con

GDPR-5-07 Requirement

Limit data storage duration to necessary period

Controllers must keep personal data in a form permitting identification of data subjects for no longer than necessary fo

GDPR-5-08 Requirement

Implement safeguards for extended storage periods

When storing personal data for longer periods for archiving, scientific research, historical research, or statistical pu

GDPR-5-09 Requirement

Ensure appropriate security of personal data

Controllers must process personal data in a manner ensuring appropriate security, including protection against unauthori

GDPR-5-10 Requirement

Use appropriate technical or organizational security measures

Controllers must implement appropriate technical or organizational measures to ensure the security and integrity of pers

GDPR-5-11 Requirement

Take responsibility for compliance with data protection principles

Controllers must be responsible for compliance with all data protection principles outlined in paragraph 1 of this artic

Article 6. Lawfulness of processing

10 obligations

GDPR-6-01 Requirement

Ensure lawful basis for processing

Processing of personal data must be lawful only if and to the extent that at least one of the lawful bases specified in

GDPR-6-03 Requirement

Establish legal basis in Union or Member State law for legal obligation/public task

For processing based on legal obligation (point c) or public task (point e), the basis must be laid down by Union law or

GDPR-6-04 Requirement

Determine processing purpose in legal basis

The purpose of processing based on legal obligation or public task must be determined in the legal basis, or must be nec

GDPR-6-05 Requirement

Ensure legal basis meets public interest objective and proportionality

Union or Member State law establishing the legal basis for processing must meet an objective of public interest and be p

GDPR-6-06 Requirement

Conduct compatibility assessment for further processing

When processing personal data for a purpose other than the original collection purpose (not based on consent or Union/Me

GDPR-6-07 Requirement

Consider purpose linkage in compatibility assessment

Controllers must consider any link between the original data collection purposes and the purposes of the intended furthe

GDPR-6-08 Requirement

Consider collection context in compatibility assessment

Controllers must consider the context in which personal data were collected, particularly the relationship between data

GDPR-6-09 Requirement

Consider data nature in compatibility assessment

Controllers must consider the nature of personal data, particularly whether special categories of personal data or crimi

GDPR-6-10 Requirement

Consider processing consequences in compatibility assessment

Controllers must consider the possible consequences of the intended further processing for data subjects when assessing

GDPR-6-11 Requirement

Consider safeguards existence in compatibility assessment

Controllers must consider the existence of appropriate safeguards, which may include encryption or pseudonymisation, whe

Article 7. Conditions for consent

4 obligations

GDPR-7-02 Requirement

Present consent request in distinguishable manner

When consent is requested in a written declaration that also concerns other matters, the request for consent must be pre

GDPR-7-03 Requirement

Use intelligible and easily accessible form for consent

When consent is requested in a written declaration that also concerns other matters, the request must be in an intelligi

GDPR-7-04 Requirement

Use clear and plain language for consent

When consent is requested in a written declaration that also concerns other matters, the request must use clear and plai

GDPR-7-06 Requirement

Make withdrawal as easy as giving consent

The mechanism for withdrawing consent must be as easy to use as the mechanism for giving consent.

Article 8. Conditions applicable to child's consent in relation to information society services

3 obligations

GDPR-8-01 Requirement

Age-based lawful processing for information society services

When offering information society services directly to a child, process personal data lawfully only if the child is at l

GDPR-8-02 Requirement

Parental consent requirement for children under 16

For children below 16 years (or lower age set by Member State), process personal data only if and to the extent that con

GDPR-8-03 Requirement

Reasonable efforts to verify parental consent

Make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the

Article 9. Processing of special categories of personal data

12 obligations

GDPR-9-02 Requirement

Explicit Consent Requirement for Special Category Data

When relying on explicit consent as the lawful basis for processing special category data, controllers must obtain expli

GDPR-9-03 Requirement

Employment/Social Security Legal Authorization Requirement

When processing special category data for employment and social security purposes, controllers must ensure processing is

GDPR-9-04 Requirement

Vital Interests Processing Requirement

When processing special category data based on vital interests, controllers must ensure processing is necessary to prote

GDPR-9-05 Requirement

Not-for-Profit Body Processing Requirements

Not-for-profit bodies with political, philosophical, religious or trade union aims must ensure processing is carried out

GDPR-9-06 Requirement

Manifestly Public Data Verification Requirement

Controllers processing special category data that has been made manifestly public must verify that the data was indeed m

GDPR-9-07 Requirement

Legal Claims Processing Necessity Requirement

Controllers must ensure that processing of special category data is necessary for the establishment, exercise or defence

GDPR-9-08 Requirement

Substantial Public Interest Legal Basis Requirements

Controllers processing special category data for substantial public interest must ensure it is based on Union or Member

GDPR-9-09 Requirement

Healthcare Processing Legal Basis and Safeguards Requirement

Controllers processing special category data for healthcare purposes must ensure processing is based on Union or Member

GDPR-9-10 Requirement

Public Health Processing Legal Framework Requirement

Controllers processing special category data for public health purposes must ensure processing is based on Union or Memb

GDPR-9-11 Requirement

Archiving and Research Processing Legal Requirements

Controllers processing special category data for archiving, scientific or historical research, or statistical purposes m

GDPR-9-12 Requirement

Professional Secrecy Requirement for Healthcare Data Processing

When processing special category data for healthcare purposes, controllers must ensure data are processed by or under re

GDPR-9-13 Requirement

Member State Additional Conditions Authority

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of gene

Article 10. Processing of personal data relating to criminal convictions and offences

2 obligations

GDPR-10-01 Requirement

Criminal data processing control requirement

Processing of personal data relating to criminal convictions and offences or related security measures must be carried o

GDPR-10-02 Requirement

Criminal convictions register control requirement

Any comprehensive register of criminal convictions must be kept only under the control of official authority.

Article 11. Processing which does not require identification

1 obligation

GDPR-11-04 Requirement

Apply Articles 15-20 when data subject provides identifying information

When data subjects provide additional information enabling their identification for exercising rights under Articles 15-

Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject

14 obligations

GDPR-12-02 Requirement

Provide information in writing or other means including electronic

Controllers must provide the required information in writing, or by other means, including where appropriate by electron

GDPR-12-03 Requirement

Provide information orally when requested if identity verified

When requested by the data subject, controllers may provide the information orally, provided that the identity of the da

GDPR-12-04 Requirement

Facilitate exercise of data subject rights

Controllers must facilitate the exercise of data subject rights under Articles 15 to 22.

GDPR-12-06 Requirement

Provide information on action taken within one month

Controllers must provide information on action taken on requests under Articles 15-22 to the data subject without undue

GDPR-12-07 Requirement

May extend response period by two months if justified

Controllers may extend the one-month response period by two further months where necessary, taking into account the comp

GDPR-12-08 Requirement

Inform data subject of extension within one month with reasons

Controllers must inform the data subject of any extension within one month of receipt of the request, together with the

GDPR-12-09 Requirement

Provide electronic response to electronic requests unless otherwise requested

Where the data subject makes the request by electronic means, controllers must provide the information by electronic mea

GDPR-12-10 Requirement

Inform data subject of reasons for not taking action within one month

If the controller does not take action on the request of the data subject, the controller must inform the data subject w

GDPR-12-11 Requirement

Provide information and communications free of charge

Information provided under Articles 13 and 14 and any communication and actions taken under Articles 15-22 and Article 3

GDPR-12-12 Requirement

May charge reasonable fee or refuse manifestly unfounded or excessive requests

Where requests from a data subject are manifestly unfounded or excessive, particularly because of their repetitive chara

GDPR-12-13 Requirement

Bear burden of demonstrating manifestly unfounded or excessive character

Controllers must bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

GDPR-12-14 Requirement

May request additional information to confirm identity if reasonable doubts

Where controllers have reasonable doubts concerning the identity of the natural person making requests referred to in Ar

GDPR-12-15 Requirement

May use standardised icons with information provided

Information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardi

GDPR-12-16 Requirement

Electronic icons must be machine-readable

Where icons are presented electronically they must be machine-readable.

Article 13. Information to be provided where personal data are collected from the data subject

1 obligation

GDPR-13-14 Requirement

Provide information at time of data collection

The controller must provide all required information to the data subject at the time when personal data are obtained fro

Article 14. Information to be provided where personal data have not been obtained from the data subject

3 obligations

GDPR-14-08 Requirement

Comply with timing requirements for information provision

The controller must provide the required information within a reasonable period after obtaining the personal data, but a

GDPR-14-09 Requirement

Provide information at first communication when data used for communication

The controller must provide the required information at the latest at the time of the first communication to the data su

GDPR-14-10 Requirement

Provide information before first disclosure to another recipient

The controller must provide the required information at the latest when the personal data are first disclosed if a discl

Article 15. Right of access by the data subject

1 obligation

GDPR-15-14 Requirement

Provide information in electronic form when requested electronically

When data subjects make access requests by electronic means, controllers must provide the information in a commonly used

Article 16. Right to rectification

2 obligations

GDPR-16-01 Requirement

Provide rectification of inaccurate personal data without undue delay

Controllers must rectify inaccurate personal data concerning a data subject without undue delay when requested by the da

GDPR-16-02 Requirement

Complete incomplete personal data upon request

Controllers must allow data subjects to have incomplete personal data completed, taking into account the purposes of the

Article 17. Right to erasure (‘right to be forgotten’)

4 obligations

GDPR-17-01 Requirement

Erase personal data without undue delay when grounds apply

Controller must erase personal data without undue delay when any of the specified grounds apply: data no longer necessar

GDPR-17-02 Requirement

Take reasonable steps to inform other controllers of erasure requests

When controller has made personal data public and must erase it, controller must take reasonable steps including technic

GDPR-17-03 Requirement

Consider available technology and implementation costs in erasure measures

When taking steps to inform other controllers about erasure requests for public data, controller must take into account

GDPR-17-04 Requirement

Apply erasure exceptions when processing is necessary for specified purposes

Controller must not apply erasure obligations when processing is necessary for: freedom of expression, legal compliance,

Article 18. Right to restriction of processing

4 obligations

GDPR-18-01 Requirement

Provide restriction of processing when accuracy is contested

Controllers must restrict processing of personal data when the data subject contests the accuracy of the personal data,

GDPR-18-02 Requirement

Provide restriction of processing when processing is unlawful and erasure opposed

Controllers must restrict processing of personal data when the processing is unlawful and the data subject opposes the e

GDPR-18-03 Requirement

Provide restriction of processing when data no longer needed but required for legal claims

Controllers must restrict processing of personal data when the controller no longer needs the personal data for the purp

GDPR-18-04 Requirement

Provide restriction of processing when objection is pending verification

Controllers must restrict processing of personal data when the data subject has objected to processing pursuant to Artic

Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing

1 obligation

GDPR-19-01 Requirement

Communicate rectification/erasure/restriction to recipients

The controller must communicate any rectification or erasure of personal data or restriction of processing to each recip

Article 20. Right to data portability

4 obligations

GDPR-20-01 Requirement

Provide personal data in structured, machine-readable format

Controllers must provide personal data concerning the data subject, which the data subject has provided to the controlle

GDPR-20-02 Requirement

Enable data transmission to another controller without hindrance

Controllers must allow data subjects to transmit their personal data to another controller without creating obstacles or

GDPR-20-03 Requirement

Enable direct data transmission between controllers when technically feasible

Controllers must facilitate direct transmission of personal data from one controller to another when requested by the da

GDPR-20-05 Requirement

Ensure data portability does not adversely affect others' rights and freedoms

Controllers must ensure that exercising data portability rights does not negatively impact the rights and freedoms of ot

Article 21. Right to object

4 obligations

GDPR-21-01 Requirement

Cease processing upon data subject objection (legitimate interests)

When a data subject objects to processing based on legitimate interests (Article 6(1)(e) or (f)) on grounds relating to

GDPR-21-02 Requirement

Cease processing upon objection to direct marketing

When a data subject objects to processing for direct marketing purposes, the controller must immediately cease processin

GDPR-21-04 Requirement

Provide automated means for objection in information society services

In the context of information society services, controllers must enable data subjects to exercise their right to object

GDPR-21-05 Requirement

Cease research processing upon objection (unless public interest)

When a data subject objects to processing for scientific, historical research or statistical purposes on grounds relatin

Article 23. Restrictions

10 obligations

GDPR-23-01 Requirement

Ensure legislative restrictions respect fundamental rights essence

When implementing legislative measures that restrict GDPR obligations and rights, ensure such restrictions respect the e

GDPR-23-03 Requirement

Include specific provisions on processing purposes in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the purposes of the proc

GDPR-23-04 Requirement

Specify categories of personal data in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the categories of person

GDPR-23-05 Requirement

Define scope of restrictions in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the scope of the restric

GDPR-23-06 Requirement

Establish safeguards against abuse in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding safeguards to prevent ab

GDPR-23-07 Requirement

Specify controllers in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the specification of the

GDPR-23-08 Requirement

Define storage periods and safeguards in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding storage periods and appl

GDPR-23-09 Requirement

Address risks to data subject rights in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the risks to the rights

GDPR-23-10 Requirement

Address data subject notification rights in legislative measures

Any legislative measure restricting GDPR obligations must contain specific provisions regarding the right of data subjec

GDPR-23-11 Requirement

Comply with legislative restrictions when subject to such measures

Data controllers and processors must comply with Union or Member State legislative measures that restrict the scope of G

Article 25. Data protection by design and by default

3 obligations

GDPR-25-01 Requirement

Implement data protection by design measures

Controllers must implement appropriate technical and organisational measures (such as pseudonymisation) at the time of d

GDPR-25-02 Requirement

Implement data protection by default measures for data necessity

Controllers must implement appropriate technical and organisational measures to ensure that by default only personal dat

GDPR-25-07 Requirement

Ensure default non-accessibility without individual intervention

Controllers must ensure that by default personal data are not made accessible to an indefinite number of natural persons

Article 26. Joint controllers

1 obligation

GDPR-26-05 Requirement

Accept data subject rights exercise against any joint controller

Each joint controller must be prepared to handle and respond to data subject rights requests directed at them individual

Article 27. Representatives of controllers or processors not established in the Union

1 obligation

GDPR-27-02 Requirement

Establish representative in appropriate Member State

The designated representative must be established in one of the Member States where the data subjects whose personal dat

Article 28. Processor

8 obligations

GDPR-28-02 Requirement

Obtain authorization before engaging sub-processors

Processors must not engage another processor without prior specific or general written authorisation from the controller

GDPR-28-05 Requirement

Process only on documented controller instructions

Processors must process personal data only on documented instructions from the controller, including regarding transfers

GDPR-28-07 Requirement

Ensure personnel confidentiality commitments

Processors must ensure that persons authorised to process personal data have committed themselves to confidentiality or

GDPR-28-08 Requirement

Assist controller with data subject rights requests

Processors must assist the controller by appropriate technical and organisational measures, insofar as possible, for ful

GDPR-28-09 Requirement

Assist controller with compliance obligations

Processors must assist the controller in ensuring compliance with obligations taking into account the nature of processi

GDPR-28-10 Requirement

Delete or return data after service end

At the controller's choice, processors must delete or return all personal data to the controller after the end of servic

GDPR-28-13 Requirement

Impose same obligations on sub-processors

When engaging another processor for specific processing activities, processors must impose the same data protection obli

GDPR-28-14 Requirement

Remain liable for sub-processor obligations

Where another processor fails to fulfil its data protection obligations, the initial processor remains fully liable to t

Article 31. Cooperation with the supervisory authority

3 obligations

GDPR-31-01 Requirement

Controller cooperation with supervisory authority

Controllers must cooperate with the supervisory authority when requested to do so in the performance of the authority's

GDPR-31-02 Requirement

Processor cooperation with supervisory authority

Processors must cooperate with the supervisory authority when requested to do so in the performance of the authority's t

GDPR-31-03 Requirement

Representative cooperation with supervisory authority

Representatives of controllers and processors must cooperate with the supervisory authority when requested to do so in t

Article 32. Security of processing

5 obligations

GDPR-32-01 Requirement

Implement appropriate technical and organisational security measures

Controllers and processors must implement appropriate technical and organisational measures to ensure a level of securit

GDPR-32-02 Requirement

Implement pseudonymisation and encryption where appropriate

Controllers and processors must implement pseudonymisation and encryption of personal data as appropriate security measu

GDPR-32-03 Requirement

Ensure ongoing confidentiality, integrity, availability and resilience

Controllers and processors must ensure the ongoing confidentiality, integrity, availability and resilience of processing

GDPR-32-04 Requirement

Implement timely data recovery capabilities

Controllers and processors must implement the ability to restore the availability and access to personal data in a timel

GDPR-32-05 Requirement

Regularly test and evaluate security measures effectiveness

Controllers and processors must establish a process for regularly testing, assessing and evaluating the effectiveness of

Article 34. Communication of a personal data breach to the data subject

1 obligation

GDPR-34-07 Requirement

Comply with supervisory authority orders to communicate breach to data subjects

Controllers must communicate personal data breaches to data subjects when required to do so by the supervisory authority

Article 38. Position of the data protection officer

6 obligations

GDPR-38-02 Requirement

Provide necessary resources to DPO

Controllers and processors must support the data protection officer by providing resources necessary to carry out their

GDPR-38-03 Requirement

Maintain DPO expert knowledge

Controllers and processors must support the data protection officer in maintaining his or her expert knowledge.

GDPR-38-04 Requirement

Ensure DPO independence from instructions

Controllers and processors must ensure that the data protection officer does not receive any instructions regarding the

GDPR-38-06 Requirement

Ensure DPO reports to highest management level

Controllers and processors must ensure that the data protection officer directly reports to the highest management level

GDPR-38-07 Requirement

Ensure DPO maintains secrecy or confidentiality

The data protection officer must be bound by secrecy or confidentiality concerning the performance of their tasks, in ac

GDPR-38-08 Requirement

Prevent DPO conflict of interests

Controllers or processors must ensure that any other tasks and duties assigned to the data protection officer do not res

Article 40. Codes of conduct

11 obligations

GDPR-40-01 Requirement

Member States shall encourage development of codes of conduct

Member States must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDPR

GDPR-40-02 Requirement

Supervisory authorities shall encourage development of codes of conduct

Supervisory authorities must encourage the drawing up of codes of conduct intended to contribute to the proper applicati

GDPR-40-03 Requirement

The Board shall encourage development of codes of conduct

The Board must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDPR, ta

GDPR-40-04 Requirement

Commission shall encourage development of codes of conduct

The Commission must encourage the drawing up of codes of conduct intended to contribute to the proper application of GDP

GDPR-40-05 Requirement

Controllers not subject to GDPR must make binding commitments for code adherence

Controllers not subject to GDPR that adhere to approved codes of conduct for data transfers must make binding and enforc

GDPR-40-06 Requirement

Processors not subject to GDPR must make binding commitments for code adherence

Processors not subject to GDPR that adhere to approved codes of conduct for data transfers must make binding and enforce

GDPR-40-07 Requirement

Codes of conduct must contain compliance monitoring mechanisms

A code of conduct must contain mechanisms which enable the monitoring body to carry out mandatory monitoring of complian

GDPR-40-09 Requirement

Supervisory authority shall provide opinion on draft codes

The supervisory authority must provide an opinion on whether the draft code, amendment or extension complies with GDPR a

GDPR-40-11 Requirement

Supervisory authority shall submit multi-state draft codes to Board

Where a draft code relates to processing activities in several Member States, the competent supervisory authority must s

GDPR-40-12 Requirement

Board shall provide opinion on multi-state draft codes

The Board must provide an opinion on whether multi-state draft codes, amendments or extensions comply with GDPR or provi

GDPR-40-13 Requirement

Board shall submit positive opinions to Commission

Where the Board's opinion confirms that the draft code, amendment or extension complies with GDPR or provides appropriat

Article 41. Monitoring of approved codes of conduct

1 obligation

GDPR-41-05 Requirement

Supervisory authority submission of accreditation requirements to Board

The competent supervisory authority must submit the draft requirements for accreditation of monitoring bodies to the Boa

Article 42. Certification

5 obligations

GDPR-42-01 Requirement

Member States shall encourage establishment of data protection certification mechanisms

Member States must encourage, particularly at Union level, the establishment of data protection certification mechanisms

GDPR-42-02 Requirement

Supervisory authorities shall encourage establishment of certification mechanisms

Supervisory authorities must encourage, particularly at Union level, the establishment of data protection certification

GDPR-42-03 Requirement

Board shall encourage establishment of certification mechanisms

The Board must encourage, particularly at Union level, the establishment of data protection certification mechanisms and

GDPR-42-04 Requirement

Commission shall encourage establishment of certification mechanisms

The Commission must encourage, particularly at Union level, the establishment of data protection certification mechanism

GDPR-42-05 Requirement

Controllers/processors not subject to GDPR must make binding commitments for certification

Controllers or processors not subject to GDPR seeking certification for third country transfers must make binding and en

Article 43. Certification bodies

1 obligation

GDPR-43-02 Requirement

Member States must ensure certification body accreditation

Member States must ensure that certification bodies are accredited by either the competent supervisory authority or the

Article 44. General principle for transfers

1 obligation

GDPR-44-01 Requirement

Comply with Chapter V conditions for third country/international organisation transfers

Controllers and processors must ensure that any transfer of personal data to a third country or international organisati

Article 45. Transfers on the basis of an adequacy decision

9 obligations

GDPR-45-01 Requirement

Commission must assess adequacy considering specific elements

The Commission must take account of rule of law, human rights, legislation, data protection rules, case-law, data subjec

GDPR-45-02 Requirement

Commission must decide on adequacy through implementing acts

The Commission may decide, by means of implementing act, that a third country, territory, specified sectors, or internat

GDPR-45-03 Requirement

Commission must provide periodic review mechanism in implementing acts

The implementing act must provide for a mechanism for periodic review, at least every four years, taking into account al

GDPR-45-04 Requirement

Commission must specify territorial and sectoral application in implementing acts

The implementing act must specify its territorial and sectoral application and, where applicable, identify the superviso

GDPR-45-05 Requirement

Commission must adopt implementing acts under examination procedure

The implementing act must be adopted in accordance with the examination procedure referred to in the regulation.

GDPR-45-07 Requirement

Commission must repeal, amend or suspend inadequate adequacy decisions

The Commission must repeal, amend or suspend adequacy decisions when information reveals that adequate protection is no

GDPR-45-08 Requirement

Commission must adopt suspension acts under examination procedure

Implementing acts that repeal, amend or suspend adequacy decisions must be adopted in accordance with the examination pr

GDPR-45-09 Requirement

Commission must adopt immediately applicable acts on urgent grounds

On duly justified imperative grounds of urgency, the Commission must adopt immediately applicable implementing acts in a

GDPR-45-10 Requirement

Commission must consult with third countries to remedy inadequacy situations

The Commission must enter into consultations with the third country or international organisation with a view to remedyi

Article 46. Transfers subject to appropriate safeguards

8 obligations

GDPR-46-01 Requirement

Provide appropriate safeguards for third country transfers

Controllers or processors must provide appropriate safeguards when transferring personal data to third countries or inte

GDPR-46-02 Requirement

Ensure enforceable data subject rights for third country transfers

Controllers or processors must ensure that enforceable data subject rights are available when transferring personal data

GDPR-46-03 Requirement

Ensure effective legal remedies for data subjects in third country transfers

Controllers or processors must ensure that effective legal remedies for data subjects are available when transferring pe

GDPR-46-04 Requirement

Apply binding and enforceable commitments for approved codes of conduct

Controllers or processors in third countries must apply binding and enforceable commitments when using approved codes of

GDPR-46-05 Requirement

Apply binding and enforceable commitments for approved certification mechanisms

Controllers or processors in third countries must apply binding and enforceable commitments when using approved certific

GDPR-46-06 Requirement

Obtain supervisory authority authorisation for contractual clauses

Controllers or processors must obtain authorisation from the competent supervisory authority when using contractual clau

GDPR-46-07 Requirement

Include enforceable data subject rights in administrative arrangements

Public authorities or bodies must include enforceable and effective data subject rights in administrative arrangements u

GDPR-46-08 Requirement

Apply consistency mechanism for paragraph 3 authorisations

Supervisory authorities must apply the consistency mechanism when providing authorisations for contractual clauses and a

Article 49. Derogations for specific situations

3 obligations

GDPR-49-01 Requirement

Use specific derogations for data transfers without adequacy decision or safeguards

When transferring personal data to a third country or international organisation without an adequacy decision or appropr

GDPR-49-04 Requirement

Verify legitimate interest for consultation-based register transfers

When transferring data from registers intended for consultation by persons with legitimate interest, controllers must en

GDPR-49-05 Requirement

Meet additional conditions for non-repetitive limited transfers

For transfers that cannot be based on standard provisions and no specific derogations apply, controllers may only transf

Article 50. International cooperation for the protection of personal data

4 obligations

GDPR-50-01 Requirement

Develop international cooperation mechanisms for data protection enforcement

The Commission and supervisory authorities must develop international cooperation mechanisms to facilitate the effective

GDPR-50-02 Requirement

Provide international mutual assistance in data protection enforcement

The Commission and supervisory authorities must provide international mutual assistance in the enforcement of legislatio

GDPR-50-03 Requirement

Engage stakeholders in international cooperation discussions

The Commission and supervisory authorities must engage relevant stakeholders in discussion and activities aimed at furth

GDPR-50-04 Requirement

Promote exchange and documentation of data protection legislation and practice

The Commission and supervisory authorities must promote the exchange and documentation of personal data protection legis

Article 51. Supervisory authority

5 obligations

GDPR-51-01 Requirement

Establish independent supervisory authority

Each Member State must provide for one or more independent public authorities to be responsible for monitoring the appli

GDPR-51-02 Requirement

Contribute to consistent application of GDPR

Each supervisory authority must contribute to the consistent application of GDPR throughout the Union.

GDPR-51-03 Requirement

Cooperate with other authorities and Commission

Supervisory authorities must cooperate with each other and the Commission in accordance with Chapter VII to ensure consi

GDPR-51-04 Requirement

Designate Board representative authority

Where more than one supervisory authority is established in a Member State, that Member State must designate which super

GDPR-51-05 Requirement

Establish consistency mechanism compliance framework

Member States with multiple supervisory authorities must set out the mechanism to ensure compliance by the other authori

Article 52. Independence

6 obligations

GDPR-52-01 Requirement

Supervisory Authority Independence Requirement

Each supervisory authority must act with complete independence when performing its tasks and exercising its powers in ac

GDPR-52-02 Requirement

Freedom from External Influence Requirement

Members of supervisory authorities must remain free from external influence, whether direct or indirect, when performing

GDPR-52-06 Requirement

Resource Provision Requirement for Member States

Each Member State must ensure that each supervisory authority is provided with the human, technical and financial resour

GDPR-52-07 Requirement

Staff Selection and Direction Requirement for Member States

Each Member State must ensure that each supervisory authority chooses and has its own staff which shall be subject to th

GDPR-52-08 Requirement

Independent Financial Control Requirement for Member States

Each Member State must ensure that each supervisory authority is subject to financial control which does not affect its

GDPR-52-09 Requirement

Separate Public Annual Budget Requirement for Member States

Each Member State must ensure that each supervisory authority has separate, public annual budgets, which may be part of

Article 53. General conditions for the members of the supervisory authority

4 obligations

GDPR-53-01 Requirement

Establish transparent appointment procedure for supervisory authority members

Member States must establish and implement a transparent procedure for appointing each member of their supervisory autho

GDPR-53-02 Requirement

Ensure supervisory authority members have required qualifications

Each member of supervisory authorities must possess the necessary qualifications, experience and skills, particularly in

GDPR-53-03 Requirement

Establish legal framework for termination of member duties

Member States must establish legal provisions defining when a supervisory authority member's duties end, specifically co

GDPR-53-04 Requirement

Restrict dismissal of members to specific circumstances

Member States must ensure that supervisory authority members can only be dismissed in cases of serious misconduct or if

Article 54. Rules on the establishment of the supervisory authority

6 obligations

GDPR-54-01 Requirement

Establish supervisory authority by law

Each Member State must provide by law for the establishment of each supervisory authority responsible for data protectio

GDPR-54-02 Requirement

Define qualifications and eligibility conditions for supervisory authority members

Each Member State must establish by law the qualifications and eligibility conditions required to be appointed as member

GDPR-54-03 Requirement

Establish appointment rules and procedures for supervisory authority members

Each Member State must define by law the rules and procedures for the appointment of the member or members of each super

GDPR-54-04 Requirement

Set minimum term duration for supervisory authority members

Each Member State must establish by law the duration of the term of supervisory authority members of no less than four y

GDPR-54-05 Requirement

Define reappointment eligibility rules for supervisory authority members

Each Member State must establish by law whether and for how many terms the member or members of each supervisory authori

GDPR-54-06 Requirement

Establish conduct and employment rules for supervisory authority members and staff

Each Member State must define by law the conditions governing obligations of supervisory authority members and staff, in

Article 55. Competence

2 obligations

GDPR-55-01 Requirement

Territorial Competence Limitation for Supervisory Authorities

Each supervisory authority must limit its competence to performing tasks and exercising powers only within the territory

GDPR-55-02 Requirement

Specific Competence for Public Authority Processing

The supervisory authority of the relevant Member State must exercise competence when processing is carried out by public

Article 56. Competence of the lead supervisory authority

5 obligations

GDPR-56-04 Requirement

Decide on case handling within three weeks

The lead supervisory authority must decide within three weeks after being informed whether or not it will handle the cas

GDPR-56-05 Requirement

Apply specified procedure when handling case

When the lead supervisory authority decides to handle the case, it must apply the procedure referenced in the regulation

GDPR-56-06 Requirement

Submit draft decision to lead supervisory authority

The supervisory authority which informed the lead supervisory authority may submit a draft for a decision to the lead su

GDPR-56-07 Requirement

Take utmost account of submitted draft

The lead supervisory authority must take utmost account of any draft decision submitted by the informing supervisory aut

GDPR-56-08 Requirement

Handle case when lead authority declines

When the lead supervisory authority decides not to handle the case, the supervisory authority which informed it must han

Article 58. Powers

7 obligations

GDPR-58-05 Requirement

Comply with Data Subject Rights Orders

Controllers and processors must comply with supervisory authority orders to fulfill data subject requests to exercise th

GDPR-58-06 Requirement

Bring Processing Operations into Compliance

Controllers and processors must bring their processing operations into compliance with GDPR provisions when ordered by s

GDPR-58-09 Requirement

Execute Data Rectification, Erasure, or Restriction Orders

Controllers and processors must comply with supervisory authority orders for rectification or erasure of personal data o

GDPR-58-11 Requirement

Member States Must Grant Supervisory Authority Powers

Member States must ensure their supervisory authorities have all the investigative, corrective, and authorization/adviso

GDPR-58-12 Requirement

Establish Safeguards for Supervisory Authority Powers

Member States must establish appropriate safeguards, including effective judicial remedy and due process, for the exerci

GDPR-58-13 Requirement

Provide Legal Authority for Judicial Enforcement

Member States must provide by law that supervisory authorities have the power to bring GDPR infringements to judicial au

GDPR-58-14 Requirement

Ensure Additional Powers Don't Impair Chapter VII

Member States that provide additional powers to supervisory authorities beyond those in paragraphs 1, 2, and 3 must ensu

Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned

20 obligations

GDPR-60-01 Requirement

Lead supervisory authority must cooperate with other concerned authorities

The lead supervisory authority must cooperate with other supervisory authorities concerned in an endeavour to reach cons

GDPR-60-02 Requirement

Exchange all relevant information between supervisory authorities

The lead supervisory authority and supervisory authorities concerned must exchange all relevant information with each ot

GDPR-60-03 Requirement

Lead authority may request mutual assistance from other authorities

The lead supervisory authority may at any time request other supervisory authorities concerned to provide mutual assista

GDPR-60-04 Requirement

Lead authority may conduct joint operations with other authorities

The lead supervisory authority may conduct joint operations with other supervisory authorities, particularly for carryin

GDPR-60-05 Requirement

Lead authority must communicate relevant information without delay

The lead supervisory authority must communicate relevant information on the matter to other supervisory authorities conc

GDPR-60-06 Requirement

Lead authority must submit draft decision for opinion without delay

The lead supervisory authority must submit a draft decision to other supervisory authorities concerned for their opinion

GDPR-60-07 Requirement

Lead authority must submit matter to consistency mechanism upon objection

Where other supervisory authorities express relevant and reasoned objections within four weeks, the lead supervisory aut

GDPR-60-08 Requirement

Lead authority must submit revised draft decision when following objection

When the lead supervisory authority intends to follow a relevant and reasoned objection, it must submit a revised draft

GDPR-60-09 Requirement

Revised draft decision subject to two-week objection procedure

The revised draft decision must be subject to the objection procedure within a period of two weeks.

GDPR-60-10 Requirement

Supervisory authorities bound by draft decision without objections

Where no other supervisory authorities object to the draft decision within the specified periods, all supervisory author

GDPR-60-11 Requirement

Lead authority must adopt and notify decision to controller/processor

The lead supervisory authority must adopt and notify the decision to the main establishment or single establishment of t

GDPR-60-12 Requirement

Lead authority must inform other authorities and Board of decision

The lead supervisory authority must inform other supervisory authorities concerned and the Board of the decision, includ

GDPR-60-13 Requirement

Complaint authority must inform complainant of decision

The supervisory authority with which a complaint has been lodged must inform the complainant of the decision.

GDPR-60-14 Requirement

Complaint authority must adopt decision for dismissed/rejected complaints

Where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged must adopt the

GDPR-60-15 Requirement

Separate decisions required for partial complaint handling

Where supervisory authorities agree to dismiss/reject parts of a complaint and act on other parts, separate decisions mu

GDPR-60-16 Requirement

Lead authority handles controller action decisions in partial complaints

In partial complaint cases, the lead supervisory authority must adopt decisions for parts concerning actions relating to

GDPR-60-17 Requirement

Complaint authority handles dismissal decisions in partial complaints

In partial complaint cases, the supervisory authority of the complainant must adopt decisions for dismissal/rejection pa

GDPR-60-18 Requirement

Controller/processor must ensure compliance across all EU establishments

After being notified of the lead supervisory authority's decision, the controller or processor must take necessary measu

GDPR-60-20 Requirement

Lead authority must inform other authorities of compliance measures

The lead supervisory authority must inform other supervisory authorities concerned about the compliance measures notifie

GDPR-60-21 Requirement

Supervisory authorities must supply information electronically in standardised format

The lead supervisory authority and other supervisory authorities concerned must supply required information to each othe

Article 61. Mutual assistance

6 obligations

GDPR-61-01 Requirement

Provide mutual assistance and relevant information to other supervisory authorities

Supervisory authorities must provide each other with relevant information and mutual assistance to implement and apply t

GDPR-61-02 Requirement

Respond to assistance requests without undue delay within one month

Each supervisory authority must take all appropriate measures to reply to requests from other supervisory authorities wi

GDPR-61-03 Requirement

Include necessary information in assistance requests

Requests for assistance must contain all the necessary information, including the purpose of and reasons for the request

GDPR-61-04 Requirement

Use exchanged information only for requested purpose

Information exchanged between supervisory authorities shall be used only for the purpose for which it was requested.

GDPR-61-05 Requirement

Comply with assistance requests unless specific exceptions apply

The requested supervisory authority shall not refuse to comply with assistance requests unless it is not competent for t

GDPR-61-08 Requirement

Supply information by electronic means using standardised format

Requested supervisory authorities shall, as a rule, supply the information requested by other supervisory authorities by

Article 62. Joint operations of supervisory authorities

9 obligations

GDPR-62-01 Requirement

Conduct joint operations when appropriate

Supervisory authorities must conduct joint operations including joint investigations and joint enforcement measures invo

GDPR-62-02 Requirement

Invite other supervisory authorities to participate in joint operations

The competent supervisory authority must invite supervisory authorities from other affected Member States to participate

GDPR-62-03 Requirement

Respond without delay to participation requests

Supervisory authorities must respond without delay to requests from other supervisory authorities to participate in join

GDPR-62-04 Requirement

Exercise investigative powers only under guidance and presence of host authority

When seconded supervisory authority staff exercise investigative powers in another Member State, they may only do so und

GDPR-62-05 Requirement

Comply with host Member State law

Seconding supervisory authority's members or staff participating in joint operations must be subject to and comply with

GDPR-62-06 Requirement

Assume responsibility for seconded staff actions

The Member State of the host supervisory authority must assume responsibility for actions of seconded staff from other M

GDPR-62-07 Requirement

Make good damage caused by own staff standards

The Member State in whose territory damage was caused must compensate for such damage under the same conditions that wou

GDPR-62-08 Requirement

Reimburse host Member State for damage caused by seconded staff

The Member State of the seconding supervisory authority must reimburse in full any sums paid by the host Member State to

GDPR-62-10 Requirement

Comply with invitation obligation within one month

Supervisory authorities must comply with the obligation to invite other supervisory authorities to participate in joint

Article 63. Consistency mechanism

2 obligations

GDPR-63-01 Requirement

Supervisory authorities must cooperate with each other through consistency mechanism

Supervisory authorities must cooperate with each other through the consistency mechanism as set out in Section 2 of Chap

GDPR-63-02 Requirement

Supervisory authorities must cooperate with Commission when relevant

Supervisory authorities must cooperate with the European Commission, where relevant, through the consistency mechanism a

Article 64. Opinion of the Board

8 obligations

GDPR-64-01 Requirement

Board Must Issue Opinion on Specified Draft Decisions

The Board shall issue an opinion when a competent supervisory authority intends to adopt specific measures including DPI

GDPR-64-02 Requirement

Supervisory Authority Must Communicate Draft Decision to Board

The competent supervisory authority must communicate the draft decision to the Board when it intends to adopt any of the

GDPR-64-03 Requirement

Board Must Issue Opinion Within Eight Weeks

The Board must adopt its opinion within eight weeks by simple majority of the members, with possible extension of six we

GDPR-64-04 Requirement

Supervisory Authorities Must Communicate Information Without Undue Delay

Supervisory authorities and the Commission must communicate by electronic means to the Board, using a standardised forma

GDPR-64-05 Requirement

Board Chair Must Inform Members and Commission of Relevant Information

The Chair of the Board must inform by electronic means the members of the Board and the Commission of any relevant infor

GDPR-64-06 Requirement

Board Chair Must Inform Supervisory Authority of Opinion and Make Public

The Chair of the Board must inform the supervisory authority referred to in paragraphs 1 and 2, and the Commission of th

GDPR-64-08 Requirement

Supervisory Authority Must Take Utmost Account of Board Opinion

The competent supervisory authority must take utmost account of the opinion of the Board when making its final decision.

GDPR-64-09 Requirement

Supervisory Authority Must Communicate Decision Status Within Two Weeks

The supervisory authority must communicate to the Chair of the Board within two weeks after receiving the opinion whethe

Article 65. Dispute resolution by the Board

5 obligations

GDPR-65-01 Requirement

Board must adopt binding decisions in specified dispute cases

The Board shall adopt a binding decision in cases where: (a) a supervisory authority has raised a relevant and reasoned

GDPR-65-02 Requirement

Board must adopt decisions within one month by two-thirds majority

The Board must adopt binding decisions within one month from referral by a two-thirds majority of members, with the peri

GDPR-65-04 Requirement

Board must adopt decision by simple majority if unable to meet deadline

If the Board cannot adopt a decision within the specified periods, it must adopt its decision within two weeks following

GDPR-65-06 Requirement

Board Chair must notify decision to supervisory authorities without undue delay

The Chair of the Board must notify the Board's decision to the supervisory authorities concerned without undue delay.

GDPR-65-09 Requirement

Lead/complaint supervisory authority must adopt final decision based on Board decision

The lead supervisory authority or the supervisory authority with which the complaint was lodged must adopt its final dec

Article 68. European Data Protection Board

1 obligation

GDPR-68-02 Requirement

Commission designate representative to Board

The Commission shall designate a representative to participate in the activities and meetings of the Board.

Article 69. Independence

1 obligation

GDPR-69-01 Requirement

Board Must Act Independently in Task Performance

The European Data Protection Board shall act independently when performing its tasks or exercising its powers pursuant t

Article 73. Chair

2 obligations

GDPR-73-01 Requirement

Board Must Elect Chair and Deputy Chairs by Simple Majority

The Board must elect a chair and two deputy chairs from amongst its members using a simple majority voting process.

GDPR-73-02 Requirement

Chair and Deputy Chairs Must Serve Five-Year Terms

The Chair and deputy chairs must serve terms of office lasting five years, with the possibility of one renewal.

Article 74. Tasks of the Chair

4 obligations

GDPR-74-01 Requirement

Convene Board meetings and prepare agenda

The Chair must convene meetings of the Board and prepare the agenda for such meetings.

GDPR-74-02 Requirement

Notify Board decisions to supervisory authorities

The Chair must notify decisions adopted by the Board pursuant to consistency mechanism to the lead supervisory authority

GDPR-74-03 Requirement

Ensure timely performance of Board tasks

The Chair must ensure the timely performance of the tasks of the Board, in particular in relation to the consistency mec

GDPR-74-04 Requirement

Establish task allocation rules between Chair and deputy chairs

The Board must lay down the allocation of tasks between the Chair and the deputy chairs in its rules of procedure.

Article 75. Secretariat

10 obligations

GDPR-75-01 Requirement

European Data Protection Supervisor must provide Board secretariat

The European Data Protection Supervisor must provide a secretariat for the Board

GDPR-75-02 Requirement

Secretariat must perform tasks under Board Chair instructions

The secretariat must perform all its tasks exclusively under the instructions of the Chair of the Board

GDPR-75-06 Requirement

Provide analytical, administrative and logistical support

The secretariat must provide analytical, administrative and logistical support to the Board

GDPR-75-07 Requirement

Handle day-to-day business of the Board

The secretariat must be responsible for the day-to-day business of the Board

GDPR-75-08 Requirement

Facilitate communication between Board members, Chair and Commission

The secretariat must be responsible for communication between the members of the Board, its Chair and the Commission

GDPR-75-09 Requirement

Manage communication with other institutions and public

The secretariat must be responsible for communication with other institutions and the public

GDPR-75-10 Requirement

Use electronic means for internal and external communication

The secretariat must be responsible for the use of electronic means for both internal and external communication

GDPR-75-11 Requirement

Provide translation of relevant information

The secretariat must be responsible for the translation of relevant information

GDPR-75-12 Requirement

Prepare and follow-up Board meetings

The secretariat must be responsible for the preparation and follow-up of the meetings of the Board

GDPR-75-13 Requirement

Prepare, draft and publish Board outputs

The secretariat must be responsible for the preparation, drafting and publication of opinions, decisions on dispute sett

Article 77. Right to lodge a complaint with a supervisory authority

1 obligation

GDPR-77-01 Requirement

Ensure data subjects can lodge complaints with supervisory authorities

Organizations must not interfere with or prevent data subjects from exercising their right to lodge complaints with supe

Article 78. Right to an effective judicial remedy against a supervisory authority

2 obligations

GDPR-78-03 Requirement

Bring proceedings in courts of Member State where supervisory authority established

Must bring any judicial proceedings against a supervisory authority before the courts of the Member State where that sup

GDPR-78-04 Requirement

Forward Board opinion or decision to court in consistency mechanism cases

Must forward any opinion or decision of the Board from the consistency mechanism to the court when proceedings are broug

Article 79. Right to an effective judicial remedy against a controller or processor

2 obligations

GDPR-79-02 Requirement

Submit to jurisdiction of courts where establishment is located

Controllers and processors must accept that proceedings against them can be brought before the courts of the Member Stat

GDPR-79-03 Requirement

Submit to jurisdiction of courts where data subject has habitual residence

Controllers and processors (except public authorities acting in exercise of public powers) must accept that proceedings

Article 81. Suspension of proceedings

3 obligations

GDPR-81-01 Requirement

Contact court to confirm parallel proceedings

When a competent court has information about proceedings concerning the same subject matter regarding processing by the

GDPR-81-02 Requirement

Authority to suspend parallel proceedings

Any competent court other than the court first seized may suspend its proceedings where proceedings concerning the same

GDPR-81-03 Requirement

Authority to decline jurisdiction at first instance

Where proceedings are pending at first instance, any court other than the court first seized may decline jurisdiction up

Article 82. Right to compensation and liability

6 obligations

GDPR-82-01 Requirement

Provide compensation to data subjects for damages from GDPR infringements

Controllers and processors must provide compensation to any person who has suffered material or non-material damage as a

GDPR-82-02 Requirement

Controller liability for damages from processing infringements

Any controller involved in processing shall be liable for damage caused by processing which infringes the GDPR and must

GDPR-82-03 Requirement

Processor liability for specific infringements and unauthorized actions

A processor shall be liable for damage caused by processing only where it has not complied with GDPR obligations specifi

GDPR-82-04 Requirement

Prove absence of responsibility to claim exemption from liability

A controller or processor must prove that it is not in any way responsible for the event giving rise to damage in order

GDPR-82-05 Requirement

Joint and several liability for full damage compensation

Where multiple controllers or processors are involved in the same processing and are responsible for damage, each contro

GDPR-82-06 Requirement

Right to claim proportional reimbursement from co-responsible parties

Where a controller or processor has paid full compensation for damage, that party shall be entitled to claim back from o

Article 83. General conditions for imposing administrative fines

7 obligations

GDPR-83-01 Requirement

Ensure administrative fines are effective, proportionate and dissuasive

Each supervisory authority must ensure that administrative fines imposed for GDPR infringements are effective, proportio

GDPR-83-02 Requirement

Consider specified factors when deciding on administrative fines

When deciding whether to impose an administrative fine and determining the amount, supervisory authorities must give due

GDPR-83-03 Requirement

Apply maximum fine cap for multiple linked infringements

When a controller or processor intentionally or negligently infringes several GDPR provisions for the same or linked pro

GDPR-83-04 Requirement

Apply appropriate procedural safeguards for administrative fines

Supervisory authorities must ensure that the exercise of their administrative fine powers is subject to appropriate proc

GDPR-83-05 Requirement

Establish rules for administrative fines on public authorities

Each Member State may establish rules determining whether and to what extent administrative fines may be imposed on publ

GDPR-83-06 Requirement

Adapt administrative fine procedures for non-administrative fine legal systems

Where a Member State's legal system does not provide for administrative fines, they may apply this Article so that fines

GDPR-83-07 Requirement

Ensure alternative fines remain effective, proportionate and dissuasive

Member States using alternative fine procedures must ensure that the fines imposed are effective, proportionate and diss

Article 84. Penalties

2 obligations

GDPR-84-01 Requirement

Establish rules on other penalties for GDPR infringements

Member States must lay down rules on penalties applicable to infringements of the GDPR, particularly for infringements n

GDPR-84-02 Requirement

Ensure penalties are effective, proportionate and dissuasive

Member States must ensure that the penalties they establish for GDPR infringements meet the standards of being effective

Article 85. Processing and freedom of expression and information

2 obligations

GDPR-85-01 Requirement

Reconcile data protection with freedom of expression rights

Member States must enact laws that reconcile the right to protection of personal data under GDPR with the right to freed

GDPR-85-02 Requirement

Provide exemptions/derogations for journalistic and expressive processing

Member States must provide exemptions or derogations from Chapters II, III, IV, V, VI, VII and IX for processing carried

Article 88. Processing in the context of employment

2 obligations

GDPR-88-01 Requirement

Enact specific employment data protection rules

Member States must establish by law or collective agreements more specific rules to ensure protection of rights and free

GDPR-88-02 Requirement

Include human dignity safeguards in employment data rules

Member States must ensure that employment data protection rules include suitable and specific measures to safeguard the

Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

3 obligations

GDPR-89-02 Requirement

Ensure technical and organisational measures for data minimisation

Organizations must ensure that technical and organisational measures are in place to ensure respect for the principle of

GDPR-89-04 Requirement

Use non-identifying processing where purposes can be fulfilled

Organizations must use further processing that does not permit or no longer permits identification of data subjects wher

GDPR-89-05 Requirement

Apply derogations only to specified processing purposes

When processing serves multiple purposes simultaneously, organizations must ensure that derogations from data subject ri

Article 90. Obligations of secrecy

1 obligation

GDPR-90-02 Requirement

Specific rules must apply only to personal data obtained under secrecy obligation

Any rules adopted by Member States under paragraph 1 shall apply only with regard to personal data which the controller

Article 92. Exercise of the delegation

2 obligations

GDPR-92-02 Requirement

Three-month objection period compliance

The Commission must ensure delegated acts only enter into force if no objection is expressed by the European Parliament

GDPR-92-03 Requirement

Extended objection period compliance

The Commission must comply with extended objection periods when the three-month period is extended by an additional thre

Article 97. Commission reports

2 obligations

GDPR-97-05 Requirement

Consider stakeholder positions in GDPR evaluations

The Commission must take into account the positions and findings of the European Parliament, the Council, and other rele

GDPR-97-06 Requirement

Submit GDPR amendment proposals when necessary

The Commission must submit appropriate proposals to amend the GDPR if necessary, particularly considering developments i

Article 98. Review of other Union legal acts on data protection

2 obligations

GDPR-98-01 Requirement

Submit legislative proposals to amend other Union data protection acts

The Commission must, when appropriate, submit legislative proposals to amend other Union legal acts on personal data pro

GDPR-98-02 Requirement

Address protection rules for Union institutions, bodies, offices and agencies

The Commission must particularly focus on rules relating to protection of natural persons regarding processing by Union