Articles of the GDPR

Made up of 99 individual Articles, the EU's General Data Protection Regulation (GDPR) gives EU citizens control over who can access, collect, process, handle, or share their "personal data."

The General Data Protection Regulation's 99 Articles are organized into 11 Chapters. Alongside the 99 Articles, there are 173 Recitals. These Recitals help you understand the different provisions.

Each Article is summarized below.

Is the GDPR Binding?

Yes. In EU law, regulations are binding on:

• All Member States, and
• Any country, anywhere in the world, where a company handles data belonging to an EU citizen, or where a website receives visitors from the EU

Here's an Article by Article breakdown of what you need to know.

Chapter 1, General Provisions: Articles 1 - 4

These first few Articles define who the GDPR applies to and clarify its scope.

Article 1: Subject-Matter and Objective

• EU citizens have a legal right to protect their data, and
• The GDPR regulates how companies and authorities handle this information

Article 2: Material Scope

Article 2 explains when the GDPR applies and, crucially, when it doesn't apply.

The GDPR applies when a company:

• Holds data as part of a filing system for commercial purposes, or
• Processes this data automatically

It doesn't apply when:

• Someone collects personal data for purely private, domestic, or personal use e.g. a home address book, or
• Legal authorities use the data to detect, prevent, or prosecute a crime, including terrorist or national security threats

Article 3: Territorial Scope

Anyone monitoring the behavior of EU citizens while they're inside the Union or selling services and goods to EU citizens must comply with the GDPR.

Any data processed inside the EU boundaries will be protected by the GDPR. It doesn't matter where the controller or processor is physically based.

Article 4: Definitions

This Article defines the key words and phrases used in the GDPR including:

• Personal data - Information that may be used to identify a natural person or their household
• Processing - Anything that happens to personal information
• Profiling - Using personal data to evaluate someone's behavior, likes and dislikes, health, and movement patterns
• Pseudonymisation - Randomizing data so that someone is no longer personally identifiable
• Controller - Legal or natural person that decides how personal data is collected and for what purpose
• Processor - The authority, company, or person responsible for processing the data for the controller
• Third party - Company, authority, or person permitted to process data
• Consent - When a person gives clear and informed consent to a company processing their data
• Supervisory authority - A body, appointed by each Member State, responsible for supervising GDPR compliance across that State

Chapter 2, Principles: Articles 5 - 11

These Articles set out the general principles that all companies must abide by if they plan on capturing personal data from anyone in the EU.

Article 5: Principles Relating to Processing of Personal Data

Data controllers must:

• Process data lawfully and transparently
• Collect data for set purposes only
• Only collect as much data as they need to fulfil this purpose
• Correct inaccurate information as soon as possible
• Store data no longer than necessary
• Provide safe data storage and deletion processes

Article 6: Lawfulness of Processing

Processing is only "lawful" if consent is freely given and the processing is necessary to:

• Complete a contract
• Fulfil a legal obligation
• Protect someone's vital interests or
• Other legitimate interests apply

Public interest doesn't require consent.

Article 7: Conditions for Consent

Consent must be:

• Given freely
• Express, and
• Be easy to withdraw at any time

Article 8: Conditions Applicable to Child's Consent in Relation to Information Society Services

To process personal data belonging to a minor (under 16) who uses an online service such a streaming site, you must:

• Get a parent or guardian's express consent, and
• Take reasonable steps to confirm it's actually the parent or guardian who consented on their behalf

Article 9: Processing of Personal Categories of Personal Data

Some categories of personal data are afforded special protection under the GDPR.

Unless someone is in physical danger, or they pose a public risk, or they give express consent, or you're a charity with legitimate interests, you can't store information identifying someone's:

• Sexual orientation
• Ethnicity or race
• Religious orientation
• Political views
• Trade union membership
• Health, bio, and genetic data

Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences

Unless you have Member State authority, you can't process data revealing someone's criminal offences or convictions.

Article 11: Processing Which Does Not Require Identification

If the controller doesn't need to know someone's identity to process the information, they shouldn't take steps to find out who the data belongs to. If the controller does need more data to identify a person, they should let the individual know this.

Unless the person gives the company more information, Articles 15 through 20 don't apply.

Chapter 3, Rights of the Data Subject: Articles 12 - 23

These Articles set out the specific rights afforded to individuals in more detail.

Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject

You must inform users of their GDPR rights and help them exercise these rights. Your guidance should be clear, accessible, concise, and transparent. Essentially, you must draft a Privacy Policy.

If a person wants access to the information you hold on them, you typically only have one month to provide this data, and free of charge.

You can charge a fee if the person makes repeated or unduly onerous requests. You can also refuse the request if you're not convinced they are who they say they are, or ask for an extension of up to two months if more time is actually needed.

Article 13: Information to Be Provided Where Personal Data Are Collected From the Data Subject

Before or at the time of data collection, you must tell the individual (data subject) that:

• You're collecting data
• Why you're gathering the data, and your legal basis
• Who the controller is
• How to contact the controller
• How you store the data, for how long, and where it's stored
• How people can access the data stored on them or make a complaint, and
• Any third parties who will receive the information

These are all details to include in your Privacy Policy.

Article 14: Information to Be Provided Where Personal Data Have Not Been Obtained From the Data Subject

If you receive personal data from someone who didn't provide it to you, you must tell them:

• Who you are
• How you received their data
• What you hold on them
• How you're storing it, and for how long
• Why you hold it, and
• How they can object to this

This requirement doesn't apply if you hold the data for:

• Public interest requirements
• Statistical or scientific research purposes

Article 15: Right of Access by the Data Subject

Someone can access the data held on them, free of charge, and ask how to have it erased.

Article 16: Right to Rectification

You must rectify mistakes or inaccuracies in someone's personal data without undue delay.

Article 17: Right to Erasure ("Right to Be Forgotten")

You must delete the personal data you hold on someone:

• At their request
• If you don't need it anymore for the original purpose, or
• There are no other legitimate grounds for holding the data

You can refuse an erasure request if it's in the public interest to do so, or if you need the data to comply with legal claims:

Article 18: Right to Restriction of Processing

If you need time to consider an erasure or rectification request, or you've been handling data unlawfully but the person wants you to keep it, you should stop processing the data in specific ways upon request.

Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

If you've shared personal data with other parties, you must communicate erasure or rectification requests to them, too.

Article 20: Right to Data Portability

People have the right to request the information you hold on them in a specific format, whether it's by written or electronic means, unless the request is excessive. They can also request you transfer the information to another company if possible.

Article 21: Right to Object

If someone objects to direct marketing, you must comply. If a person objects to you handling their data, you must comply unless there's a legitimate reason not to, such as the public interest.

Article 22: Automated Individual Decision-Making, Including Profiling

A data subject can object to you using their personal data for profiling purposes unless:

• You need to process the data to fulfil a contract
• Member State law permits you using data this way, or
• The person consented to automated profiling

Article 23: Restrictions

Member States can, in certain circumstances, restrict the data rights listed in Articles 12 - 22 and 34. The circumstances are:

• National security
• Public interest
• Criminal investigations, or
• Protecting freedoms and rights

Users must be informed of how these laws restrict their rights and why.

Chapter 4, Controller and Processor: Articles 24 - 43

These Articles describe the responsibilities of controllers and processors, and how they work together.

Article 24: Responsibility of the Controller

The data controller is responsible for GDPR-compliant data processing.

Article 25: Data Protection by Design and by Default

It's on the data controller to ensure that data is properly safeguarded by default within data processing systems. They must also ensure that data is used for specified purposes only.

Article 26: Joint Controllers

Two or more controllers can jointly process data. It's on them to decide how to allocate GDPR compliance responsibilities effectively.

Article 27: Representatives of Controllers or Processors Not Established in the Union

Unless the data processor or controller is a public body, or processes only non-special category very occasionally, they must appoint someone to represent them, or act as their data controller, within the EU.

Article 28: Processor

A controller can't appoint a data processor who can't demonstrate GDPR compliance. It's on the controller to check that the processor is in fact compliant.

Data processors, however, are liable for the actions of any subcontractors they hire. They must also get written consent from the data controller before appointing any other data processors.

Article 29: Processing Under the Authority of the Controller and Processor

A processor can't process personal data unless they have the controller's permission, or they're required to process the data by law.

Article 30: Records of Processing Activities

Data controllers and processors with more than 250 employees must record their processing activities, including:

• Controller and/or processor's name and contact details
• What data you're processing, and why, and
• How you plan on keeping data secure

Companies with less than 250 employees don't need to record their processes unless they handle special categories or criminal convictions, or:

• The data puts the rights and freedoms of the individuals at risk, or
• They process personal data frequently

Article 31: Cooperation with the Supervisory Authority

Controllers and processors must always cooperate with the relevant Member State's supervisory authorities.

Article 32: Security of Processing

Controllers and processors must secure the data they handle. Obligations include:

• Encrypting or otherwise protecting data files
• Regularly reviewing and testing the integrity of the company's cybersecurity processes, and
• Ensuring that files can be accessed or restored in the event of technical incidents

You're only required to implement procedures that are proportionate for your particular organization.

Article 33: Notification of a Personal Data Breach to the Supervisory Authority

Data controllers must document any breach and report it to the supervisory authority within 72 hours of discovering the breach. The only exception is if the breach doesn't pose any risk to someone's rights or freedoms.

The controller must report:

• What happened
• Any potential consequences of the breach
• How they plan on mitigating the possible consequences, and
• The data protection officer's name and contact details (or another point of contact)

Data processors must inform the data controller of a breach without undue delay.

Article 34: Communication of a Personal Data Breach to the Data Subject

If a breach occurs, and it risks the rights and freedoms of individuals, you must tell them as soon as possible using clear, simple language.

You don't need to report the breach to individuals if:

• It's proportionate to simply send out a public notification instead
• You took immediate action to mitigate the risk of the breach, or
• You properly encrypted the data i.e. you took reasonable steps to protect it

Article 35: Data Protection Impact Assessment

You must evaluate what impact any new data processing technology will have on data security before you use it. In other words, you need to perform a risk assessment. This is especially important if you handle special categories of data, or information relating to criminal offences.

Article 36: Prior Consultation

If your impact assessment or risk assessment reveals that there's a high risk of data breach, you must consult with your supervisory authority before rolling out the new technology. They'll expect you to provide details on the possible risks and how you plan on mitigating them.

The supervisory authority should respond with advice within 8 weeks, although it may take longer if the issues are especially complex.

Article 37: Designation of the Data Protection Officer

A data controller should appoint a data protection officer if:

• They're a public body (other than a court)
• They plan on monitoring large numbers of people, or
• They're processing high volumes of special data categories

It's possible to appoint a member of staff for this job so long as there's no conflict of interest between doing their job and complying with their data protection duties. Once you've selected your data protection officer, forward their name and contact details to the supervisory authority.

Article 38: Position of the Data Protection Officer

You must allow the data protection officer to do their duties without interference.

They must be involved in all matters concerning GDPR compliance, and you should make it easy for them to access the training they need to do their job.

Article 39: Tasks of the Data Protection Officer

A data protection officer has many duties, the most important of which are:

• Liasing with the supervisory authority
• Assisting the controller and/or processor with their data protection efforts, and
• Raising awareness around GDPR compliance

Article 40: Codes of Conduct

Regulatory bodies that represent groups of small or medium-sized enterprises should set out a code of conduct to help their members comply with their data protection responsibilities. The code must be approved by the supervisory authority before it's valid.

Article 41: Monitoring of Approved Codes of Conduct

Following from Article 40, an accredited body can monitor how well the member organizations comply with the code of conduct. If a company isn't complying, the accredited body can apply to the supervisory authority to have them suspended.

Article 42: Certification

All Member States should encourage businesses to sign up for voluntary certification schemes that demonstrate their commitment to EU privacy law.

Article 43: Certification Bodies

The certificates referred to in Article 42 must be awarded by organizations accredited by the supervisory authority for this purpose.

Chapter 5, Transfers of Personal Data to Third Countries or International Organisations: Articles 44 - 50

These Articles explain how organisations can legally transfer data to countries outside the EU.

Article 44: General Principle for Transfers

You must comply with the Chapter 5 conditions to transfer data to third countries.

Article 45: Transfers on the Basis of an Adequacy Decision

You can transfer data to third countries if the European Commission declares that the country's data security processes are adequate. Countries and approvals are reviewed every 4 years.

Article 46: Transfers Subject to Appropriate Safeguards

You can transfer data to unapproved countries if you implement appropriate safety measures and ensure that the data subjects can still enforce their rights and freedoms over personal data.

The safeguards you choose should be enshrined in an enforceable instrument or contract between the companies involved.

Article 47: Binding Corporate Rules

You can establish enforceable, binding corporate rules to transfer personal data to unapproved countries. The rules must set out:

• Name and contact details for the companies involved
• Types of data involved, including special categories
• The general principles of GDPR compliance and how they will apply
• How individuals can enforce their rights
• Liability for data breaches, and
• That the rules are binding and legally enforceable

If the supervisory authority approves your corporate rules, there's no need to seek approval from the different supervisory authorities across Member States you operate in.

Article 48: Transfers or Disclosures Not Authorised by European Union Law

A third country court can't enforce any data transfer out of the EU unless there's a binding and legally enforceable international agreement in place between the Member State and the third country.

Article 49: Derogations for Specific Situations

You can only transfer data to a third country without appropriate safeguards or binding corporate rules if:

• The affected individual, in full knowledge of the risks, consents to the transfer
• It's necessary for significant public interest or legal reasons
• It's necessary to protect the affected individual's vital interests, and they're unable to consent on their own behalf, or
• It's necessary to fulfil another contract between the controller and processor

Article 50: International Cooperation for the Protection of Personal Data

Supervisory authorities and the European Commission should always cooperate with third countries to promote and enforce data compliance.

Chapter 6, Independent Supervisory Authorities: Articles 51 - 59

These Articles explain the role of supervisory authorities and how they should be appointed.

Article 51: Supervisory Authority

Supervisory authorities are public bodies that monitor GDPR compliance within their Member State. Each Member State must have a supervisory authority, and the different authorities must cooperate across the EU.

Article 52: Independence

There can be no state interference with a supervisory authority's work.

Article 53: General Conditions for the Members of the Supervisory Authority

The Member State must appoint suitably qualified individuals to the supervisory authority.

Article 54: Rules on the Establishment of the Supervisory Authority

Before appointing a supervisory authority, each Member State must establish rules for making these appointments. The rules must cover:

• How members are appointed
• What qualifications are needed
• How long appointments last
• Whether members can be reappointed, and
• What actions are prohibited

Article 55: Competence

The supervisory authorities have no jurisdiction over personal data processed by Member State courts.

Article 56: Competence of the Lead Supervisory Authority

This Article sets out which supervisory authority takes precedence when you're transferring data between Member States. In short, it's the supervisory authority of your own Member State, or the Member State where you do most of your processing, that takes the lead.

If a GDPR compliance complaint or infringement allegation is made, the first supervisory authority to handle the issue is the one in charge across the Member State in which the complaint originated.

If they're not the lead supervisory authority, they must inform them, and it's up to the lead supervisory authority to decide whether to handle it themselves or not.

Article 57: Tasks

Supervisory authorities must:

• Ensure that the GDPR is consistently enforced across the Member State
• Promote data compliance and how to protect personal information
• Handle GDPR compliance complaints, and
• Advise the Member State government on any legal and regulatory changes

Article 58: Powers

Among other things, supervisory authorities can:

• Investigate GDPR complaints and allegations
• Issue fines and penalties for non-compliance, and
• Approve binding corporate rules and codes of conduct

These powers are subject to their own safeguards.

Article 59: Activity Reports

Supervisory authorities must produce public, transparent annual reports of their activities.

Chapter 7, Cooperation and Consistency: Articles 60 - 76

One of the largest sections, Chapter 7 sets out how supervisory authorities and other legal bodies cooperate to maintain high standards of GDPR compliance.

Article 60: Cooperation Between the Lead Supervisory Authority and the Other Supervisory Authorities Concerned

This enshrines the principle that supervisory authorities must work together, and that it's on lead supervisory authorities to encourage the exchange of information where relevant.

Article 61: Mutual Assistance

One supervisory authority cannot refuse to help another unless:

• The help required is outside the supervisory authority's competency or remit, or
• Helping means infringing the GDPR or Member State law

Article 62: Joint Operations of Supervisory Authorities

When appropriate, supervisory authorities can work together. This is most common when data controllers and processors have many data subjects in multiple Member States who may be affected by a particular data processing operation.

Article 63: Consistency Mechanism

The GDPR must be applied consistently across supervisory authorities.

Article 64: Opinion of the Board

Supervisory authorities must tell the European Data Protection Board if they plan on making certain decisions. This is so that the Board can issue opinions on whether it's the right decision or not.

Decisions that should be referred to the Board include approving binding corporate rules and codes of conduct.

Article 65: Dispute Resolution by the Board

The European Data Protection Board can mediate disputes between supervisory authorities. Their decision is binding and enforceable.

Article 66: Urgency Procedure

Exceptionally, supervisory authorities can immediately introduce laws to protect people's rights and freedoms. They can only do this if there's a significant risk, and the laws only last a maximum of 3 months.

Article 67: Exchange of Information

When required, the European Commission may pass rules explaining how supervisory authorities and the European Data Protection Board can legally exchange information.

Article 68: European Data Protection Board

This Article establishes the Board and sets out its general scope. Most importantly, each supervisory authority across the Member States appoints one member to join the Board.

Article 69: Independence

The Board must always be independent and impartial.

Article 70: Tasks of the Board

The European Data Protection Board ensures that Member States and their supervisory authorities comply with the GDPR and apply it consistently.

Article 71: Reports

Like the supervisory authorities, the Board must produce a public annual review, outlining its key work.

Article 72: Procedure

Decisions on the Board are made through simple majority votes unless otherwise agreed.

Article 73: Chairs

The Board must elect one "Chair" and two Deputy Chairs.

Article 74: Tasks of the Chair

The Chair convenes Board meetings, sets agendas, and communicates decisions to the relevant supervisory authorities.

Article 75: Secretariat

The Secretariat supports the Board's administration and day-to-day operations.

Article 76: Confidentiality

Where it's deemed appropriate, the Board's decisions can remain confidential.

Chapter 8, Remedies, Liability and Penalties: Articles 77 - 84

Chapter 8 sets out how complaints are made to supervisory authorities and what penalties they can enforce.

Article 77: Right to Lodge a Complaint With a Supervisory Authority

Individuals can make a complaint with their supervisory authority, who must keep them informed of what's happening with the case.

Article 78: Right to Effective Judicial Remedy Against a Supervisory Authority

If a person isn't satisfied with how a supervisory authority handles a case that concerns them, they can apply to court for a hearing. This only applies to binding, final decisions made by the supervisory authority.

Article 79: Right to an Effective Judicial Remedy Against a Controller or Processor

If an individual feels that a controller or processor compromised their personal data by violating the GDPR, they can ask the courts to hear their case.

Article 80: Representation of Data Subjects

Non-profit organizations or charities can support an individual's case against a controller or processor if they have a legitimate public interest reason for doing so.

Article 81: Suspension of Proceedings

If there's more than one case pending against the same data controller or processor at one time, the court hearing the first case should notify the second court so they can suspend proceedings until the first case ends.

Article 82: Right to Compensation and Liability

In certain circumstances, data controllers and processors must financially compensate an individual if the person is affected by a data breach or GDPR infringement.

Data processors are only liable if they go against the express instructions of the data controller or breach the GDPR Articles that specifically affect processors. Data controllers, however, are liable for whatever damage their processing causes.

Article 83: General Conditions for Imposing Administrative Fines

If a data controller or processor infringes the General Data Protection Regulation, the relevant supervisory authority can impose fines. When deciding whether to financially sanction the processor or controller, the supervisory authority will consider:

• The severity of the infraction
• Whether the company intentionally or negligently broke the rules
• Whether the company took steps to mitigate the damage
• The company's compliance history
• The categories of data affected
• How easily and willingly the company cooperates with the supervisory authority, and
• Any other relevant factor

There are two categories of fines. You can be fined the higher of 2% of your annual global turnover, or 10 million Euros, for shortcomings including:

• Having inappropriate data protection mechanisms, and
• Failing to get proper consent for children accessing your services

You can be fined the higher of 4% of your annual global turnover, or 20 million Euros, for failings including:

• Non-cooperation with supervisory authorities, and
• Failing to get consent to data collection

Article 84: Penalties

Member States must draft and implement their own GDPR infringement penalties alongside these guidelines.

Chapter 9, Provisions Relating to Specific Processing Situations: Articles 85 - 91

These Articles set out more detailed guidance for some specific processing scenarios.

Article 85: Processing and Freedom of Expression and Information

For artistic, journalistic, and academic purposes, Member States must relax some GDPR provisions in favor of freedom of expression and information. It's up to individual Member States to find this balance and explain their decision to the European Commission in writing.

Article 86: Processing and Public Access to Official Documents

If a public body holds official documents containing personal data on individuals, the Member State can disclose this information to relevant authorities if it's in the public interest to do so.

Article 87: Processing of the National Identification Number

It's up to Member States to set parameters for processing and handling National Identification Numbers, so long as they follow the GDPR principles.

Article 88: Processing in the Context of Employment

It's on Member States to set their own rules and guidelines for processing and safeguarding personal data in an employment context.

Article 89: Safeguards and Derogations Relating to Processing for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes

Data processed for the purposes set out in Article 89 should generally be anonymized or otherwise safeguarded. However, Member States can set out their own exceptions to this safeguarding principle.

In other words, if it's the only way to archive data or conduct a legitimate scientific study, it may be possible to forego some of the typical safeguards.

Article 90: Obligations of Secrecy

It's possible for Member States to set certain rules that allow supervisory authorities to access confidential personal data given to controllers and processors in some circumstances.

Article 91: Existing Data Protection Rules of Churches and Religious Associations

Churches and other religious institutions can maintain their own record keeping and data processing systems if they comply with the GDPR.

Chapter 10, Delegated Acts and Implementing Acts: Articles 92 - 93

These Articles are procedural in nature.

Article 92: Exercise of the Delegation

The European Commission can make non-essential changes to the law, otherwise known as passing delegated acts.

Article 93: Committee Procedure

A committee will be established to help the European Commission implement the GDPR.

Chapter 11, Final Provisions: Articles 94 - 99

These Articles confirm the relationship the GDPR has with repealed and existing EU law.

Article 94: Repeal of Directive 95/46/EC

From 25 May, 2018, the GDPR replaces Directive 95/46/EC.

Article 95: Relationship with Directive 2002/58/EC

Individuals have no more obligations under the GDPR than they do under an existing EU directive, the ePrivacy Directive.

Article 96: Relationship with Previously Concluded Agreements

If a company has a pre-existing personal data transfer agreement with a third country, and the parties set it up before 24 May, 2016, it's still enforceable.

Article 97: Commission Reports

The Commission must submit its first report on major GDPR issues, including compliance, consistency, and cooperation, before 25 May, 2020. It must submit a report every 4 years after this date, and all reports must be publicly available.

Article 98: Review of Other Legal Acts on Data Protection

The European Commission can recommend changes to other EU data laws, if necessary.

Article 99: Entry into Force and Application

The GDPR came into force on 25 May, 2018.

Conclusion

The General Data Protection Regulation helps companies understand their responsibilities when it comes to handling an individual's personal and sensitive data. Moreover, it gives individuals far greater control over what happens to their personal information than any other EU privacy law.

If you're a data processor or controller, it's your responsibility to read through the Regulation and ensure that you understand how it affects you and those whose data you collect.