Article 7. Conditions for consent

1 obligation

GDPR-7-05 Transparency

Inform data subject of right to withdraw consent

Prior to giving consent, the data subject must be informed that they have the right to withdraw their consent at any tim

Article 11. Processing which does not require identification

1 obligation

GDPR-11-02 Transparency

Inform data subject when unable to identify them

When the controller can demonstrate inability to identify the data subject in non-identification processing contexts, th

Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject

1 obligation

GDPR-12-01 Transparency

Provide information in transparent, accessible form with clear language

Controllers must take appropriate measures to provide any information referred to in Articles 13 and 14 and any communic

Article 13. Information to be provided where personal data are collected from the data subject

13 obligations

GDPR-13-01 Transparency

Provide controller identity and contact details

The controller must provide the data subject with the identity and contact details of the controller and, where applicab

GDPR-13-02 Transparency

Provide data protection officer contact details

The controller must provide the contact details of the data protection officer to the data subject at the time when pers

GDPR-13-03 Transparency

Provide purposes and legal basis for processing

The controller must provide the data subject with information about the purposes of the processing for which the persona

GDPR-13-04 Transparency

Provide legitimate interests information

Where processing is based on legitimate interests (Article 6(1)(f)), the controller must provide information about the l

GDPR-13-05 Transparency

Provide recipients information

The controller must provide the data subject with information about the recipients or categories of recipients of the pe

GDPR-13-06 Transparency

Provide international transfer information

Where applicable, the controller must inform the data subject about intended transfers of personal data to third countri

GDPR-13-07 Transparency

Provide data retention period information

The controller must provide the data subject with information about the period for which the personal data will be store

GDPR-13-08 Transparency

Provide data subject rights information

The controller must inform the data subject about the existence of their rights to request access, rectification, erasur

GDPR-13-09 Transparency

Provide consent withdrawal information

Where processing is based on consent, the controller must inform the data subject about the existence of the right to wi

GDPR-13-10 Transparency

Provide complaint rights information

The controller must inform the data subject about their right to lodge a complaint with a supervisory authority.

GDPR-13-11 Transparency

Provide data provision requirement information

The controller must inform the data subject whether the provision of personal data is a statutory or contractual require

GDPR-13-12 Transparency

Provide automated decision-making information

The controller must inform the data subject about the existence of automated decision-making, including profiling, and p

GDPR-13-13 Transparency

Provide information before further processing for new purpose

Where the controller intends to further process the personal data for a purpose other than that for which the personal d

Article 14. Information to be provided where personal data have not been obtained from the data subject

8 obligations

GDPR-14-01 Transparency

Provide controller identity and contact details

The controller must provide the data subject with the identity and contact details of the controller and, where applicab

GDPR-14-02 Transparency

Provide DPO contact details when applicable

The controller must provide the data subject with the contact details of the data protection officer, where applicable,

GDPR-14-03 Transparency

Provide processing purposes and legal basis information

The controller must provide the data subject with the purposes of the processing for which the personal data are intende

GDPR-14-04 Transparency

Provide categories of personal data information

The controller must provide the data subject with the categories of personal data concerned when personal data have not

GDPR-14-05 Transparency

Provide recipients information when applicable

The controller must provide the data subject with the recipients or categories of recipients of the personal data, if an

GDPR-14-06 Transparency

Provide international transfer information when applicable

The controller must provide information about intended transfers to third countries or international organizations, incl

GDPR-14-07 Transparency

Provide additional fair processing information

The controller must provide the data subject with additional information necessary to ensure fair and transparent proces

GDPR-14-11 Transparency

Provide information before further processing for different purpose

The controller must provide the data subject prior to further processing with information on the other purpose and any r

Article 15. Right of access by the data subject

12 obligations

GDPR-15-01 Transparency

Provide confirmation of personal data processing

Data controllers must provide confirmation to data subjects as to whether or not personal data concerning them are being

GDPR-15-02 Transparency

Provide access to personal data and processing information

When personal data is being processed, controllers must provide access to the personal data and all specified informatio

GDPR-15-03 Transparency

Disclose purposes of processing

Controllers must inform data subjects of the purposes for which their personal data is being processed when responding t

GDPR-15-04 Transparency

Disclose categories of personal data

Controllers must inform data subjects of the categories of personal data being processed concerning them when responding

GDPR-15-05 Transparency

Disclose recipients of personal data

Controllers must inform data subjects of the recipients or categories of recipients to whom personal data have been or w

GDPR-15-06 Transparency

Disclose data retention period or criteria

Controllers must inform data subjects of the envisaged storage period for personal data, or if not possible, the criteri

GDPR-15-07 Transparency

Inform about data subject rights

Controllers must inform data subjects about their rights to request rectification, erasure, restriction of processing, o

GDPR-15-08 Transparency

Inform about complaint rights

Controllers must inform data subjects of their right to lodge a complaint with a supervisory authority.

GDPR-15-09 Transparency

Disclose data source information

When personal data was not collected from the data subject, controllers must provide any available information about the

GDPR-15-10 Transparency

Disclose automated decision-making information

Controllers must inform data subjects about the existence of automated decision-making including profiling, and provide

GDPR-15-11 Transparency

Inform about international transfer safeguards

When personal data are transferred to third countries or international organisations, controllers must inform data subje

GDPR-15-12 Transparency

Provide copy of personal data

Controllers must provide a copy of the personal data undergoing processing to data subjects upon request.

Article 18. Right to restriction of processing

1 obligation

GDPR-18-06 Transparency

Inform data subject before lifting restriction of processing

Controllers must inform a data subject who has obtained restriction of processing before the restriction of processing i

Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing

1 obligation

GDPR-19-02 Transparency

Inform data subject about recipients upon request

The controller must inform the data subject about the recipients who were notified of rectification, erasure, or restric

Article 21. Right to object

1 obligation

GDPR-21-03 Transparency

Inform data subjects of right to object at first communication

Controllers must explicitly bring the right to object (for legitimate interests and direct marketing) to the data subjec

Article 26. Joint controllers

1 obligation

GDPR-26-04 Transparency

Make arrangement essence available to data subjects

Joint controllers must make the essence (key elements) of their joint controller arrangement available to data subjects,

Article 28. Processor

4 obligations

GDPR-28-03 Transparency

Inform controller of intended sub-processor changes

In cases of general written authorisation, processors must inform the controller of any intended changes concerning addi

GDPR-28-06 Transparency

Inform controller of legal processing requirements

When required to process by Union or Member State law, processors must inform the controller of that legal requirement b

GDPR-28-11 Transparency

Provide compliance information and audit access

Processors must make available to the controller all information necessary to demonstrate compliance with Article 28 obl

GDPR-28-12 Transparency

Inform controller of instruction infringements

Processors must immediately inform the controller if, in their opinion, an instruction infringes GDPR or other Union or

Article 33. Notification of a personal data breach to the supervisory authority

5 obligations

GDPR-33-02 Transparency

Provide reasons for delayed breach notification

When notification to the supervisory authority is not made within 72 hours, the controller must provide reasons for the

GDPR-33-04 Transparency

Describe nature of personal data breach in notification

The notification must describe the nature of the personal data breach including, where possible, the categories and appr

GDPR-33-05 Transparency

Provide contact details in breach notification

The notification must communicate the name and contact details of the data protection officer or other contact point whe

GDPR-33-06 Transparency

Describe likely consequences of breach in notification

The notification must describe the likely consequences of the personal data breach.

GDPR-33-07 Transparency

Describe remedial measures in breach notification

The notification must describe the measures taken or proposed to be taken by the controller to address the personal data

Article 34. Communication of a personal data breach to the data subject

3 obligations

GDPR-34-02 Transparency

Describe breach nature in clear and plain language to data subjects

The communication to data subjects about a personal data breach must describe the nature of the breach in clear and plai

GDPR-34-03 Transparency

Include required information in data subject breach communications

Data subject breach communications must contain at least the information and measures referred to in points (b), (c) and

GDPR-34-06 Transparency

Provide public communication when individual notification involves disproportionate effort

When individual communication to data subjects would involve disproportionate effort, controllers must instead provide a

Article 35. Data protection impact assessment

3 obligations

GDPR-35-06 Transparency

Establish and publish DPIA-required processing list

The supervisory authority must establish and make public a list of processing operations that require a data protection

GDPR-35-08 Transparency

Establish and publish DPIA-exempt processing list

The supervisory authority may establish and make public a list of processing operations for which no data protection imp

GDPR-35-16 Transparency

Seek data subject views on intended processing

Where appropriate, the controller must seek the views of data subjects or their representatives on the intended processi

Article 36. Prior consultation

6 obligations

GDPR-36-02 Transparency

Provide controller and joint controller responsibilities information

When consulting the supervisory authority, the controller must provide information about the respective responsibilities

GDPR-36-03 Transparency

Provide purposes and means of intended processing

When consulting the supervisory authority, the controller must provide the purposes and means of the intended processing

GDPR-36-04 Transparency

Provide measures and safeguards for data subject rights protection

When consulting the supervisory authority, the controller must provide the measures and safeguards provided to protect t

GDPR-36-05 Transparency

Provide data protection officer contact details

When consulting the supervisory authority, the controller must provide the contact details of the data protection office

GDPR-36-06 Transparency

Provide data protection impact assessment

When consulting the supervisory authority, the controller must provide the data protection impact assessment.

GDPR-36-07 Transparency

Provide any other information requested by supervisory authority

When consulting the supervisory authority, the controller must provide any other information requested by the supervisor

Article 37. Designation of the data protection officer

1 obligation

GDPR-37-06 Transparency

Publish and communicate DPO contact details

Controllers and processors must publish the contact details of their data protection officer and communicate these detai

Article 40. Codes of conduct

1 obligation

GDPR-40-14 Transparency

Commission shall ensure publicity for approved codes with general validity

The Commission must ensure appropriate publicity for approved codes that have been decided as having general validity wi

Article 41. Monitoring of approved codes of conduct

1 obligation

GDPR-41-03 Transparency

Monitoring body accreditation requirements - complaint handling procedures

Monitoring bodies seeking accreditation must establish procedures and structures to handle complaints about infringement

Article 42. Certification

1 obligation

GDPR-42-06 Transparency

Controllers/processors must provide information and access for certification

Controllers or processors submitting to certification must provide the certification body or competent supervisory autho

Article 43. Certification bodies

2 obligations

GDPR-43-06 Transparency

Establish transparent complaint handling procedures

Certification bodies must establish procedures and structures to handle complaints about infringements of the certificat

GDPR-43-10 Transparency

Publish requirements and criteria publicly

Supervisory authorities must make the requirements referred to in paragraph 3 and the criteria referred to in Article 42

Article 45. Transfers on the basis of an adequacy decision

1 obligation

GDPR-45-11 Transparency

Commission must publish adequacy status list in Official Journal and website

The Commission must publish in the Official Journal of the European Union and on its website a list of third countries,

Article 49. Derogations for specific situations

2 obligations

GDPR-49-02 Transparency

Obtain explicit consent for transfers with informed risk disclosure

Controllers must obtain the data subject's explicit consent for the proposed transfer after informing them of the possib

GDPR-49-08 Transparency

Inform data subject of exceptional transfer and legitimate interests

Controllers must inform the data subject of the transfer and the compelling legitimate interests pursued, in addition to

Article 57. Tasks

9 obligations

GDPR-57-02 Transparency

Promote public awareness of data protection

Supervisory authorities must promote public awareness and understanding of risks, rules, safeguards and rights in relati

GDPR-57-03 Transparency

Advise national institutions on data protection measures

Supervisory authorities must advise, in accordance with Member State law, the national parliament, government, and other

GDPR-57-04 Transparency

Promote controller and processor awareness of obligations

Supervisory authorities must promote the awareness of controllers and processors regarding their obligations under the G

GDPR-57-05 Transparency

Provide information to data subjects on request

Supervisory authorities must provide information to any data subject concerning the exercise of their rights under the G

GDPR-57-12 Transparency

Give advice on processing operations

Supervisory authorities must give advice on processing operations as referred to in Article 36(2)

GDPR-57-16 Transparency

Draft and publish accreditation requirements

Supervisory authorities must draft and publish requirements for accreditation of bodies for monitoring codes of conduct

GDPR-57-23 Transparency

Facilitate complaint submission

Supervisory authorities must facilitate the submission of complaints by measures such as providing complaint submission

GDPR-57-24 Transparency

Provide free services to data subjects and DPOs

Supervisory authorities must ensure that the performance of their tasks is free of charge for data subjects and, where a

GDPR-57-26 Transparency

Demonstrate manifestly unfounded/excessive character of requests

Supervisory authorities must bear the burden of demonstrating the manifestly unfounded or excessive character of request

Article 58. Powers

3 obligations

GDPR-58-01 Transparency

Provide Information Upon Supervisory Authority Request

Controllers and processors must provide any information requested by supervisory authorities for the performance of thei

GDPR-58-03 Transparency

Provide Access to Personal Data and Information

Controllers and processors must provide supervisory authorities with access to all personal data and all information nec

GDPR-58-04 Transparency

Provide Access to Premises and Equipment

Controllers and processors must provide supervisory authorities access to their premises, including data processing equi

Article 59. Activity reports

1 obligation

GDPR-59-03 Transparency

Make reports publicly available

Supervisory authorities must make their annual activity reports available to the public, to the Commission and to the Bo

Article 61. Mutual assistance

1 obligation

GDPR-61-07 Transparency

Provide reasons for any refusal to comply with assistance request

The requested supervisory authority must provide reasons for any refusal to comply with a request pursuant to the compet

Article 65. Dispute resolution by the Board

4 obligations

GDPR-65-03 Transparency

Board decisions must be reasoned and addressed to relevant authorities

Board decisions must be reasoned and addressed to the lead supervisory authority and all supervisory authorities concern

GDPR-65-08 Transparency

Board must publish decision on website without delay

The Board must publish its decision on its website without delay after the supervisory authority has notified the final

GDPR-65-11 Transparency

Final decision must refer to Board decision and specify publication

The final decision must refer to the Board's decision and specify that the Board's decision will be published on the Boa

GDPR-65-12 Transparency

Final decision must attach Board decision

The supervisory authority's final decision must attach the Board's decision as an appendix.

Article 71. Reports

1 obligation

GDPR-71-02 Transparency

Make annual report public

The Board must make the annual report publicly available.

Article 75. Secretariat

1 obligation

GDPR-75-05 Transparency

Publish Memorandum of Understanding when established

When a Memorandum of Understanding is established between the Board and European Data Protection Supervisor, it must be

Article 76. Confidentiality

1 obligation

GDPR-76-02 Transparency

Document access governance under Regulation 1049/2001

Access to documents submitted to Board members, experts and third party representatives must be governed by and comply w

Article 77. Right to lodge a complaint with a supervisory authority

1 obligation

GDPR-77-02 Transparency

Inform complainants on progress and outcome of complaints

Supervisory authorities must provide updates to complainants regarding the progress and final outcome of their complaint

Article 97. Commission reports

1 obligation

GDPR-97-02 Transparency

Make GDPR evaluation reports public

The Commission must make the evaluation and review reports submitted to Parliament and Council publicly available.