GDPR Table of contents Chapter 1 (Art. 1 - 4) General provisions Article 1: Subject matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2 (Art. 5 – 11) Article 5: Principles relating to the processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child's consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3 (Art. 12 – 23) Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4 (Art. 24 – 43) Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5 (Art. 44 – 50) Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6 (Art. 51 – 59) Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7 (Art. 60 – 76) Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8 (Art. 77 – 84) Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9 (Art. 85 – 91) Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10 (Art. 92 – 93) Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11 (Art. 94 – 99) Article 94: Repeal of Directive 95/46/EC Article 95: Relationship with Directive 2002/58/EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application Recitals 1: Protection of Personal Data as a Fundamental Right 2: Ensuring Respect for the Fundamental Rights and Freedoms 3: Harmonisation 4: Balance of Data Protection with other Fundamental Rights 5: Cooperation for Cross-Border Personal Data Exchange 6: Providing High Standards of Data Protection Regardless of the Increase in Data Exchange 7: Data Protection Framework Advances Trust and Control 8: Adoption by Member States 9: Fragmented Application of Directive 95/46/EC 10: Consistent Data Protection Standards Across the Member States 11: Harmonisation of Rights, Obligations and Powers 12: Mandate of the European Parliament and the Council 13: Consideration of Smaller Businesses 14: Not Applicable to Legal Persons 15: Technological Neutrality in Data Protection 16: Out of Scope: National and Common Security Activities 17: Adaptation of Regulation (EC) No 45/2001 18: Purely Personal or Household Processing 19: Not Applicable to Criminal Justice 20: Regulating Data Processing in Judicial Systems 21: Applicability of Directive 2000/31/EC 22: Data Processing by an Establishment 23: Extra-territorial Scope: Targeting Individuals in the EU 24: Extra-territorial Scope: Monitoring Individuals in the EU 25: Controllers under the Scope of International Law 26: Material Scope: Anonymous Data out of Scope 27: Material Scope: Data of Deceased Persons out of Scope 28: Application of Pseudonymisation 29: Pseudonymisation within the Same Controller 30: Profiling and Identification Using Online Identifiers 31: Scope of Regulation: Inapplicable to Public Authorities in the Execution of the Official Mission 32: Criteria for Valid Consent 33: Consent Framework in Scientific Research 34: Definition of Genetic Data 35: Health Data 36: Determining the Main Establishment in the EU 37: Group of Undertakings 38: Specific Protection of Children's Personal Data 39: Data Processing Principles 40: Lawful Processing 41: Legal Basis or Legislative Measures 42: Informed Consent 43: Freely Given Consent 44: Performance of Contract 45: Processing Necessary for the Performance of a Legal Obligation or Public Task 46: Processing for Vital Interests 47: Controller’s Overriding Legitimate Interest 48: Legitimate Interest Within a Group of Undertakings 49: Network and Information Security Constitutes an Overriding Legitimate Interest 50: Compatibility of Further Processing of Personal Data 51: Protection of Sensitive Personal Data 52: Derogations by Member State Law to the Prohibition on Processing of Special Category Data 53: Processing of Special Category Data by Health and Social Sector 54: Processing of Special Category Data in Public Health Sector 55: Processing by Official Authorities of Recognised Religious Associations 56: Processing Personal Data on Political Opinions in Electoral Activities 57: Identification Standards for Data Processing 58: The Principle of Transparency 59: Facilitating Data Subject Rights 60: Obligation of Informing the Data Subject 61: Timely Information Provision 62: Exceptions to Information Provision Obligation 63: Right of Access 64: Verification of Data Subject Identity 65: Right of Rectification and Erasure 66: Informing Other Controllers of the Exercise of Right to be Forgotten 67: Methods for Restriction of Processing 68: Right of Data Portability 69: Right to Object 70: Right to Object to Direct Marketing 71: Rights in respect of Profiling including Automated Decision Making 72: European Data Protection Board Guidance on Profiling 73: Legal Restrictions on Data Rights and Principles 74: Controller Responsibility and Liability 75: Risks to the Rights and Freedoms of Natural Persons 76: Risk Assessment 77: Guidance for Risk Assessment 78: Appropriate Technical and Organisational Measures (TOMs) 79: Allocation of Responsibilities under the Regulation 80: Designation of a Representative in the Union 81: Appointment of Processors 82: Record of Processing Activities 83: Security Measures 84: Data Protection Impact Assessment 85: Obligation to Notify Supervisory Authorities of Data Breaches 86: Obligation to Notify Data Subjects of Data Breaches 87: Prompt Data Breach Reporting 88: Format and Procedures for Personal Data Breach Notifications 89: Abolishment of the General Reporting Requirement 90: Conducting of Data Protection Impact Assessment 91: Requirement for a Data Protection Impact Assessment 92: Single Impact Assessment for Multiple Similar Projects 93: Data Protection Impact Assessment by Public Authorities 94: Consultation of the Supervisory Authority for High-Risk Processing 95: Assistance by the Processor 96: Consultation of the Supervisory Authority for Data Processing Legislation 97: Appointment of Data Protection Officer 98: Encouraging Preparation of Codes of Conduct for Data Processing 99: Consultation of Stakeholders including Data Subjects for Code of Conduct Creation 100: Certification Mechanisms 101: International Data Transfers 102: International Agreements Regulating Data Transfers 103: Adequacy Decisions by the Commission 104: Criteria for Assessing Adequacy 105: Evaluation of International Agreements for Adequacy Decisions 106: Monitoring Levels of Data Protection in Third Countries 107: Consequences of Change to an Adequate Level of Protection 108: Appropriate Transfer Mechanisms 109: Standard Data Protection Clauses 110: Binding Corporate Rules 111: Derogations for Specific Transfers 112: Transfers for Important Public Interest 113: Non-repetitive Transfers Concerning only a Limited Number of Data Subjects 114: Ensuring Data Subject Rights after Transfers 115: Third Country Rules that Impede the Protection of Individuals Rights 116: International Cooperation Among Data Protection Supervisory Authorities 117: Establishment of Supervisory Authorities 118: Monitoring of Supervisory Authorities 119: Mechanisms for Participation of Multiple Supervisory Authorities within One Member State 120: Resources for Supervisory Authorities 121: Establishing Independent Supervisory Authorities 122: Jurisdiction and Responsibilities of the Supervisory Authorities 123: Cooperation of Supervisory Authorities with One Another and the Commission 124: Lead Supervisory Authority 125: Competences of the Lead Authority 126: Joint Decisions of Supervisory Authorities 127: Local Case Handling and Lead Authority Cooperation 128: Exemption for Public Interest Processing 129: Tasks and Powers of the Supervisory Authorities 130: Cooperation Between Lead Authority and the Authority with which the Complaint has been Lodged 131: Amicable Settlement with the Controller 132: Public Awareness Efforts by Supervisory Authorities 133: Mutual Assistance Among Supervisory Authorities 134: Joint Operations with Other Supervisory Authorities 135: Consistency Mechanism for Cooperation 136: Role of the Board in Consistency Mechanism 137: Provisional Measures 138: Urgency Procedure 139: Role of the European Data Protection Board 140: Secretariat Support for the Board 141: Entitlement to Lodge a Complaint 142: Mandating a Not-For-Profit Body, Organisation or Association 143: Judicial Remedies and Court Proceedings 144: Coordination of Related Proceedings Across Member States 145: Choice of Venue 146: Liability for Harm Caused by Infringement 147: Jurisdiction 148: Penalties for Non-Compliance 149: Criminal Penalties for Infringements 150: Administrative Fines for Infringements 151: Administrative Fines in Denmark and Estonia 152: Implementation of Penalties System in the Member States 153: Balancing Data Protection with Freedom of Expression for Journalistic, Academic, Artistic or Literally Purposes 154: Principle of Public Access to Official Documents 155: Processing of Employees' Personal Data 156: Processing of Personal Data for Archiving, Scientific, Historical Research or Statistical Purposes 157: Information from Registries for Scientific Research 158: Processing for Archiving Purposes 159: Processing for Scientific Research Purposes 160: Processing for Historical Research Purposes 161: Consent to Participate in Clinical Trials for Scientific Research 162: Processing for Statistical Purposes 163: Protection of Confidential Statistical Information Collected for European and National Statistics 164: Safeguarding Professional or Other Equivalent Secrecy Obligations 165: Respect and No Prejudice to Religious Institutions and Communities 166: Delegated Acts of the Commission 167: Implementation of Powers of the Commission 168: Adoption of Implementing Acts on Standard Contractual Clauses 169: Adoption of Immediately Applicable Implementing Acts 170: Adoption of Measures at Union level 171: Repeal of Directive 95/46/EC 172: Consultation with the European Data Protection Supervisor 173: Regulation's Impact on Directive 2002/58/EC
