General Data Protection Regulation

Recitals

Chapter I – General provisions

• Article 1 – Subject-matter and objectives
• Article 2 – Material scope
• Article 3 – Territorial scope
• Article 4 – Definitions

Chapter II – Principles

• Article 5 – Principles relating to processing of personal data
• Article 6 – Lawfulness of processing
• Article 7 – Conditions for consent
• Article 8 – Conditions applicable to child’s consent in relation to information society Services
• Article 9 – Processing of special categories of personal data
• Article 10 – Processing of personal data relating to criminal convictions and offences
• Article 11 – Processing which does not require identification

Chapter III – Rights of the data subject

• Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject

• Article 13 – Information to be provided where personal data are collected from the data subject
• Article 14 – Information to be provided where personal data have not been obtainedfrom the data subject
• Article 15 – Right of access by the data subject

• Article 16 – Right to rectification
• Article 17 – Right to erasure (‘right to be forgotten’)
• Article 18 – Right to restriction of processing
• Article 19 – Notification Obligation regarding rectification or erasure of personal data or restriction of processing
• Article 20 – Right to data portability

• Article 21 – Right to object
• Article 22 – Automated individual decision-making, including profiling

• Article 23 – Restrictions

Chapter IV – Controller and processor

• Article 24 – Responsibility of the Controller
• Article 25 – Data protection by design and by default
• Article 26 – Joint Controllers
• Article 27 – Representatives of Controllers or processors not established in the Union
• Article 28 – Processor
• Article 29 – Processing under the authority of the Controller or processor
• Article 30 – Records of processing activities
• Article 31 – Cooperation with the supervisory authority

• Article 32 – Security of processing
• Article 33 – Notification of a personal data breach to the supervisory authority
• Article 34 – Communication of a personal data breach to the data subject

• Article 35 – Data protection impact assessment
• Article 36 – Prior consultation

• Article 37 – Designation of the data protection officer
• Article 38 – Position of the data protection officer
• Article 39 – Tasks of the data protection officer

• Article 40 – Codes of conduct
• Article 41 – Monitoring of approved codes of conduct
• Article 42 – Certification
• Article 43 – Certification bodies

Chapter V – Transfer of personal data to third countries or international organizations

• Article 44 – General principle for transfers
• Article 45 – Transfers on the basis of an adequacy decision
• Article 46 – Transfers subject to appropriate safeguards
• Article 47 – Binding corporate rules
• Article 48 – Transfers or disclosures not authorised by Union law
• Article 49 – Derogations for specific situations
• Article 50 – International cooperation for the protection of personal data

Chapter VI – Independent supervisory authorities

• Article 51 – Supervisory authority
• Article 52 – Independence
• Article 53 – General conditions for the members of the supervisory authority
• Article 54 – Rules on the establishment of the supervisory authority

• Article 55 – Competence
• Article 56 – Competence of the lead supervisory authority
• Article 57 – Tasks
• Article 58 – Powers
• Article 59 – Activity reports

Chapter VII – Cooperation and consistency

• Article 60 – Cooperation between the lead supervisory authority and other supervisory authorities concerned
• Article 61 – Mutual assistance
• Article 62 – Joint operations of supervisory authorities

• Article 63 – Consistency mechanism
• Article 64 – Opinion of the Board
• Article 65 – Dispute resolution by the Board
• Article 66 – Urgency procedure
• Article 67 – Exchange of information

• Article 68 – European Data Protection Board
• Article 69 – Independence
• Article 70 – Tasks of the Board
• Article 71 – Reports
• Article 72 – Procedure
• Article 73 – Chair
• Article 74 – Tasks of the Chair
• Article 75 – Secretariat
• Article 76 – Confidentiality

Chapter VIII – Remedies, liability and penalties

• Article 77 – Right to lodge a complaint with a supervisory authority
• Article 78 – Right to an effective judicial remedy against a supervisory authority
• Article 79 – Right to an effective judicial remedy against a controller or processor
• Article 80 – Representation of data subjects
• Article 81 – Suspension of proceedings
• Article 82 – Right to compensation and liability
• Article 83 – General conditions for imposing administrative fines
• Article 84 – Penalties

Chapter IX – Provisions relating to specific processing situations

• Article 85 – Processing and freedom of expression and information
• Article 86 – Processing and public access to official documents
• Article 87 – Processing of the national identification number
• Article 88 – Processing in the context of employment
• Article 89 – Safeguards and derogations relating to processing for archivingpurposes in the public interest, scientific or historical research purposes or statisticalpurposes
• Article 90 – Obligations of secrecy
• Article 91 – Existing data protection rules of churches and religious associations

Chapter X – Delegated acts and implementing acts

• Article 92 – Ausübung der Befugnisübertragung
• Article 93 – Committee procedure

Chapter XI – Final provisions

• Article 94 – Repeal of Directive 95/46/EC
• Article 95 – Relationship with Directive 2002/58/EC
• Article 96 – Relationship with previously concluded Agreements
• Article 97 – Commission reports
• Article 98 – Review of other Union legal acts on data protection
• Article 99 – Entry into force and application