Chapter 1 — General Provisions

  • Article 1 — Subject-matter and objectives
  • Article 2 — Material scope
  • Article 3 — Territorial scope
  • Article 4 — Definitions

Chapter 2 — Principles

  • Article 5 — Principles relating to processing of personal data
  • Article 6 — Lawfulness of processing
  • Article 7 — Conditions for consent
  • Article 8 — Conditions applicable to child’s consent in relation to information society services
  • Article 9 — Processing of special categories of personal data
  • Article 10 — Processing of personal data relating to criminal convictions and offences
  • Article 11 — Processing which does not require identification

Chapter 3 — Rights of the Data Subject

Section 1: Transparency and modalities

  • Article 12 — Transparent information, communication and modalities for the exercise of the rights of the data subject

Section 2: Information and access to personal data

  • Article 13 — Information to be provided where personal data are collected from the data subject
  • Article 14 — Information to be provided where personal data have not been obtained from the data subject
  • Article 15 — Right of access by the data subject

Section 3: Rectification and erasure

  • Article 16 — Right to rectification
  • Article 17 — Right to erasure (‘right to be forgotten’)
  • Article 18 — Right to restriction of processing
  • Article 19 — Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 — Right to data portability

Section 4: Right to object and automated individual decision-making

  • Article 21 — Right to object
  • Article 22 — Automated individual decision-making, including profiling

Section 5: Restrictions

  • Article 23 — Restrictions

Chapter 4 — Controller and Processor

Section 1: General obligations

  • Article 24 — Responsibility of the controller
  • Article 25 — Data protection by design and by default
  • Article 26 — Joint controllers
  • Article 27 — Representatives of controllers or processors not established in the Union
  • Article 28 — Processor
  • Article 29 — Processing under the authority of the controller or processor
  • Article 30 — Records of processing activities
  • Article 31 — Cooperation with the supervisory authority

Section 2: Security of personal data

  • Article 32 — Security of processing
  • Article 33 — Notification of a personal data breach to the supervisory authority
  • Article 34 — Communication of a personal data breach to the data subject

Section 3: Data protection impact assessment and prior consultation

  • Article 35 — Data protection impact assessment
  • Article 36 — Prior consultation

Section 4: Data protection officer

  • Article 37 — Designation of the data protection officer
  • Article 38 — Position of the data protection officer
  • Article 39 — Tasks of the data protection officer

Section 5: Codes of conduct and certification

  • Article 40 — Codes of conduct
  • Article 41 — Monitoring of approved codes of conduct
  • Article 42 — Certification
  • Article 43 — Certification bodies

Chapter 5 — Transfers of Personal Data to Third Countries or International Organizations

  • Article 44 — General principle for transfers
  • Article 45 — Transfers on the basis of an adequacy decision
  • Article 46 — Transfers subject to appropriate safeguards
  • Article 47 — Binding corporate rules
  • Article 48 — Transfers or disclosures not authorised by Union law
  • Article 49 — Derogations for specific situations
  • Article 50 — International cooperation for the protection of personal data

Chapter 6 — Independent Supervisory Authorities

Section 1: Independent status

  • Article 51 — Supervisory authority
  • Article 52 — Independence
  • Article 53 — General conditions for the members of the supervisory authority
  • Article 54 — Rules on the establishment of the supervisory authority

Section 2: Competence, tasks and powers

  • Article 55 — Competence
  • Article 56 — Competence of the lead supervisory authority
  • Article 57 — Tasks
  • Article 58 — Powers
  • Article 59 — Activity reports

Chapter 7 — Cooperation and Consistency

Section 1: Cooperation

  • Article 60 — Cooperation between the lead supervisory authority and the other supervisory authorities concerned
  • Article 61 — Mutual assistance
  • Article 62 — Joint operations of supervisory authorities

Section 2: Consistency

  • Article 63 — Consistency mechanism
  • Article 64 — Opinion of the Board
  • Article 65 — Dispute resolution by the Board
  • Article 66 — Urgency procedure
  • Article 67 — Exchange of information

Section 3: European data protection board

  • Article 68 — European Data Protection Board
  • Article 69 — Independence
  • Article 70 — Tasks of the Board
  • Article 71 — Reports
  • Article 72 — Procedure
  • Article 73 — Chair
  • Article 74 — Tasks of the Chair
  • Article 75 — Secretariat
  • Article 76 — Confidentiality

Chapter 8 — Remedies, Liability and Penalties

  • Article 77 — Right to lodge a complaint with a supervisory authority
  • Article 78 — Right to an effective judicial remedy against a supervisory authority
  • Article 79 — Right to an effective judicial remedy against a controller or processor
  • Article 80 — Representation of data subjects
  • Article 81 — Suspension of proceedings
  • Article 82 — Right to compensation and liability
  • Article 83 — General conditions for imposing administrative fines
  • Article 84 — Penalties

Chapter 9 — Provisions Relating to Specific Processing Situations

  • Article 85 — Processing and freedom of expression and information
  • Article 86 — Processing and public access to official documents
  • Article 87 — Processing of the national identification number
  • Article 88 — Processing in the context of employment
  • Article 89 — Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • Article 90 — Obligations of secrecy
  • Article 91 — Existing data protection rules of churches and religious associations

Chapter 10 — Delegated Acts and Implementing Acts

  • Article 92 — Exercise of the delegation
  • Article 93 — Committee procedure

Chapter 11 — Final Provisions

  • Article 94 — Repeal of Directive 95/46/EC
  • Article 95 — Relationship with Directive 2002/58/EC
  • Article 96 — Relationship with previously concluded Agreements
  • Article 97 — Commission reports
  • Article 98 — Review of other Union legal acts on data protection
  • Article 99 — Entry into force and application