Recitals of the GDPR

The EU's General Data Privacy Regulation (GDPR) contains 99 clauses known as Articles, and 173 Recitals. Although they're not strictly legally binding on their own, the Recitals are critical to understanding the GDPR and applying the privacy law properly.
Here we will work through each GDPR Recital and summarize its main points.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Recital 1: Data Protection as a Fundamental Right
- 2. Recital 2: Respect of the Fundamental Rights and Freedoms
- 3. Recital 3: Directive 95/46/EC Harmonisation
- 4. Recital 4: Data Protection in Balance with Other Fundamental Rights
- 5. Recital 5: Cooperation Between Member States to Exchange Personal Data
- 6. Recital 6: Ensuring a High Level of Data Protection Despite the Increased Exchange of Data
- 7. Recital 7: The Framework is Based on Control and Certainty
- 8. Recital 8: Adoption into National Law
- 9. Recital 9: Different Standards of Protection by the Directive 95/46/EC
- 10. Recital 10: Harmonised Level of Data Protection Despite National Scope
- 11. Recital 11: Harmonisation of the Powers and Sanctions
- 12. Recital 12: Authorization of the European Parliament and the Council
- 13. Recital 13: Taking Account of Micro, Small and Medium-Sized Enterprises
- 14. Recital 14: Not Applicable to Legal Persons
- 15. Recital 15: Technology Neutrality
- 16. Recital 16: Not Applicable to Activities Regarding National and Common Security
- 17. Recital 17: Adaptation of Regulation (EC) No 45/2001
- 18. Recital 18: Not Applicable to Personal or Household Activities
- 19. Recital 19: Not Applicable to Criminal Prosecution
- 20. Recital 20: Respecting the Independence of the Judiciary
- 21. Recital 21: Liability Rules of Intermediary Service Providers Shall Remain Unaffected
- 22. Recital 22: Processing by an Establishment
- 23. Recital 23: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Targeted
- 24. Recital 24: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Profiled
- 25. Recital 25: Applicable to Processors Due to International Law
- 26. Recital 26: Not Applicable to Anonymous Data
- 27. Recital 27: Not Applicable to Data of Deceased Persons
- 28. Recital 28: Introduction of Pseudonymisation
- 29. Recital 29: Pseudonymisation at the Same Controller
- 30. Recital 30: Online Identifiers for Profiling and Identification
- 31. Recital 31: Not Applicable to Public Authorities in Connection with Their Official Tasks
- 32. Recital 32: Conditions for Consent
- 33. Recital 33: Consent to Certain Areas of Scientific Research
- 34. Recital 34: Genetic Data
- 35. Recital 35: Health Data
- 36. Recital 36: Determination of the Main Establishment
- 36.1. Data Controller
- 36.2. Data Processor
- 36.3. Both Controller and Processor
- 37. Recital 37: Enterprise Group
- 38. Recital 38: Special Protection of Children's Personal Data
- 39. Recital 39: Principles of Data Processing
- 40. Recital 40: Lawfulness of Data Processing
- 41. Recital 41: Legal Basis or Legislative Measures
- 42. Recital 42: Burden of Proof and Requirements for Consent
- 43. Recital 43: Freely Given Consent
- 44. Recital 44: Performance of a Contract
- 45. Recital 45: Fulfillment of Legal Obligations
- 46. Recital 46: Vital Interests of the Data Subject
- 47. Recital 47: Overriding Legitimate Interest
- 48. Recital 48: Overriding Legitimate Interest Within Group of Undertakings
- 49. Recital 49: Network and Information Security as Overriding Legitimate Interest
- 50. Recital 50: Further Processing of Personal Data
- 51. Recital 51: Protecting Sensitive Personal Data
- 52. Recital 52: Exceptions to the Prohibition on Processing Special Categories of Personal Data
- 53. Recital 53: Processing of Sensitive Data in Health and Social Sector
- 54. Recital 54: Processing of Sensitive Data in Public Health Sector
- 55. Recital 55: Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities
- 56. Recital 56: Processing Personal Data on People's Political Opinions by Parties
- 57. Recital 57: Additional Data for Identification Purposes
- 58. Recital 58: The Principle of Transparency
- 59. Recital 59: Procedures for the Exercise of the Rights of Data Subjects
- 60. Recital 60: Information Obligation
- 61. Recital 61: Time of Information
- 62. Recital 62: Exceptions to the Obligation to Provide Information
- 63. Recital 63: Right of Access
- 64. Recital 64: Identity Verification
- 65. Recital 65: Right of Rectification and Erasure
- 66. Recital 66: Right to be Forgotten
- 67. Recital 67: Restriction of Processing
- 68. Recital 68: Right of Data Portability
- 69. Recital 69: Right to Object
- 70. Recital 70: Right to Object to Direct Marketing
- 71. Recital 71: Profiling
- 72. Recital 72: Guidance of the European Data Protection Board Regarding Profiling
- 73. Recital 73: Restrictions of Rights and Principles
- 74. Recital 74: Responsibility and Liability of the Controller
- 75. Recital 75: Risks to the Rights and Freedoms of Natural Persons
- 76. Recital 76: Risk Assessment
- 77. Recital 77: Risk Assessment Guidelines
- 78. Recital 78: Appropriate Technical and Organisational Measures
- 79. Recital 79: Allocation of the Responsibilities
- 80. Recital 80: Designation of a Representative
- 81. Recital 81: The Use of Processors
- 82. Recital 82: Record of Processing Activities
- 83. Recital 83: Security of Processing
- 84. Recital 84: Risk Evaluation and Impact Assessment
- 85. Recital 85: Notification Obligation of Breaches to the Supervisory Authority
- 86. Recital 86: Notification of Data Subjects in Case of Data Breaches
- 87. Recital 87: Promptness of Reporting/Notification
- 88. Recital 88: Format and Procedures of the Notification
- 89. Recital 89: Elimination of the General Reporting Requirement
- 90. Recital 90: Data Protection Impact Assessment
- 91. Recital 91: Necessity of a Data Protection Impact Assessment
- 92. Recital 92: Broader Data Protection Impact Assessment
- 93. Recital 93: Data Protection Impact Assessment at Authorities
- 94. Recital 94: Consultation of the Supervisory Authority
- 95. Recital 95: Support by the Processor
- 96. Recital 96: Consultation of the Supervisory Authority in the Course of a Legislative Process
- 97. Recital 97: Data Protection Officer
- 98. Recital 98: Preparation of Codes of Conduct by Organisations and Associations
- 99. Recital 99: Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct
- 100. Recital 100: Certification
- 101. Recital 101: General Principles for International Data Transfers
- 102. Recital 102: International Agreements for an Appropriate Level of Data Protection
- 103. Recital 103: Appropriate Level of Data Protection Based on an Adequacy Decision
- 104. Recital 104: Criteria for an Adequacy Decision
- 105. Recital 105: Consideration of International Agreements for an Adequacy Decision
- 106. Recital 106: Monitoring and Periodic Review of the Level of Data Protection
- 107. Recital 107: Amendment, Revocation and Suspension of Adequacy Decisions
- 108. Recital 108: Appropriate Safeguards
- 109. Recital 109: Standard Data Protection Clauses
- 110. Recital 110: Binding Corporate Rules
- 111. Recital 111: Exceptions for Certain Cases of International Transfers
- 112. Recital 112: Data Transfers due to Important Reasons of Public Interest
- 113. Recital 113: Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects
- 114. Recital 114: Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision
- 115. Recital 115: Rules in Third Countries Contrary to the Regulation
- 116. Recital 116: Cooperation Among Supervisory Authorities
- 117. Recital 117: Establishment of Supervisory Authorities
- 118. Recital 118: Monitoring of the Supervisory Authorities
- 119. Recital 119: Organisation of Several Supervisory Authorities of a Member State
- 120. Recital 120: Features of Supervisory Authorities
- 121. Recital 121: Independence of the Supervisory Authorities
- 122. Recital 122: Responsibility of the Supervisory Authorities
- 123. Recitals 123: Cooperation of the Supervisory Authorities with Each Other and with the Commission
- 124. Recital 124: Lead Authority Regarding Processing in Several Member States
- 125. Recital 125: Competences of the Lead Authority
- 126. Recital 126: Joint Decisions
- 127. Recital 127: Information of the Supervisory Authority Regarding Local Processing
- 128. Recital 128: Responsibility Regarding Processing in the Public Interest
- 129. Recital 129: Tasks and Powers of the Supervisory Authorities
- 130. Recital 130: Consideration of the Authority with which the Complaint has been Lodged
- 131. Recital 131: Attempt of an Amicable Settlement
- 132. Recital 132: Awareness-Raising Activities and Specific Measures
- 133. Recital 133: Mutual Assistance and Provisional Measures
- 134. Recital 134: Participation in Joint Operations
- 135. Recital 135: Consistency Mechanism
- 136. Recital 136: Binding Decisions and Opinions of the Board
- 137. Recital 137: Provisional Measures
- 138. Recital 138: Urgency Procedure
- 139. Recital 139: European Data Protection Board
- 140. Recital 140: Secretariat and Staff of the Board
- 141. Recital 141: Right to Lodge a Complaint
- 142. Recital 142: The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association
- 143. Recital 143: Judicial Remedies
- 144. Recital 144: Related Proceedings
- 145. Recital 145: Choice of Venue
- 146. Recital 146: Indemnity
- 147. Recital 147: Jurisdiction
- 148. Recital 148: Penalties
- 149. Recital 149: Penalties for Infringements of National Rules
- 150. Recital 150: Administrative Fines
- 151. Recital 151: Administrative Fines in Denmark and Estonia
- 152. Recital 152: Power of Sanction of the Member States
- 153. Recital 153: Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression
- 154. Recital 154: Principle of Public Access to Official Documents
- 155. Recital 155: Processing in the Employment Context
- 156. Recital 156: Processing for Archiving, Scientific or Historical Research or Statistical Purposes
- 157. Recital 157: Information from Registries and Scientific Research
- 158. Recital 158: Processing for Archiving Purposes
- 159. Recital 159: Processing for Scientific Research Purposes
- 160. Recital 160: Processing for Historical Research Purposes
- 161. Recital 161: Consenting to the Participation in Clinical Trials
- 162. Recital 162: Processing for Statistical Purposes
- 163. Recital 163: Production of European and National Statistics
- 164. Recital 164: Professional or Other Equivalent Secrecy Obligations
- 165. Recital 165: No Prejudice of the Status of Churches and Religious Associations
- 166. Recital 166: Delegated Acts of the Commission
- 167. Recital 167: Implementing Powers of the Commission
- 168. Recital 168: Implementing Acts on Standard Clauses
- 169. Recital 169: Immediately Applicable Implementing Acts
- 170. Recital 170: Principle of Subsidiarity Principle of Proportionality
- 171. Recital 171: Repeal of Directive 95/46/EC and Transitional Provisions
- 172. Recital 172: Consultation of the European Data Protection Supervisor
- 173. Recital 173: Relationship to Directive 2002/58/EC
Recital 1: Data Protection as a Fundamental Right
Everyone has the right to protect their personal data.
Recital 2: Respect of the Fundamental Rights and Freedoms
The GDPR promotes security, freedom, and data protection.
Recital 3: Directive 95/46/EC Harmonisation
Laws across Member States should be harmonised to facilitate the free movement of data across the EU territory.
Recital 4: Data Protection in Balance with Other Fundamental Rights
Data protection is not an "absolute" right, so sometimes the law puts other rights first.
Recital 5: Cooperation Between Member States to Exchange Personal Data
Member States are expected to help each other process data safely, securely and efficiently.
Recital 6: Ensuring a High Level of Data Protection Despite the Increased Exchange of Data
As technological advances make it easier for countries to share data, the law must keep pace.
Recital 7: The Framework is Based on Control and Certainty
The GDPR empowers individuals while offering businesses certainty over what they can and can't do with personal data.
Recital 8: Adoption into National Law
A Regulation like the GDPR is binding across all Member States.
Each Member State implements the Regulation in its own way. For example, the UK rolled out the Data Protection Act 2018, and Germany introduced the German Privacy Act (BDSG).
Recital 9: Different Standards of Protection by the Directive 95/46/EC
Member States didn't apply old EU data protection Directives consistently so the Union needed a new legal standard.
Recital 10: Harmonised Level of Data Protection Despite National Scope
Member States can introduce their own rules for processing personal data to the extent permitted by the GDPR, so long as the goal is to harmonise EU data protection law.
Recital 11: Harmonisation of the Powers and Sanctions
Improve data protection across Member States by:
- Setting out what data privacy rights people have
- Explaining how companies and organisations should uphold these rights
- Applying sanctions where relevant
Recital 12: Authorization of the European Parliament and the Council
The European Parliament and the Council can make and enforce data protection laws.
Recital 13: Taking Account of Micro, Small and Medium-Sized Enterprises
Companies with 250 or fewer employees don't need to record all their data processing activities because it's unduly onerous.
Member States should remember that SMEs have unique needs and it's disproportionate to expect them to have the same processing and record-keeping requirements as large corporations.
Read this Recital alongside GDPR Article 30.
Recital 14: Not Applicable to Legal Persons
The GDPR doesn't protect legal persons e.g. companies. It only protects natural persons i.e. people.
Recital 15: Technology Neutrality
The GDPR is tech neutral and applies on or offline with very limited exceptions.
Recital 16: Not Applicable to Activities Regarding National and Common Security
Some matters, such as national security, are controlled at Member State level. The EU has no jurisdiction over these issues and the GDPR doesn't apply.
Recital 17: Adaptation of Regulation (EC) No 45/2001
Member States must adapt existing EU data protection law so that it's compatible with the GDPR.
Recital 18: Not Applicable to Personal or Household Activities
Data collected for personal, home, or private use isn't covered by the GDPR.
Recital 19: Not Applicable to Criminal Prosecution
Criminal prosecution is devolved to Member States so it doesn't fall under the EU's jurisdiction, with few exceptions.
Recital 20: Respecting the Independence of the Judiciary
The law courts are impartial and the EU's supervisory bodies have no jurisdiction over judicial bodies exercising their duties.
Recital 21: Liability Rules of Intermediary Service Providers Shall Remain Unaffected
The GDPR doesn't affect the EU's Electronic Commerce Directive so far as it applies to intermediaries such as internet service provider companies.
Recital 22: Processing by an Establishment
If your organization or business is based in the EU, it doesn't matter where your data processing takes place. The GDPR applies.
Recital 23: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Targeted
If you plan on marketing your goods or services to EU citizens ("data subjects"), you must comply with the GDPR even if you're not based in the EU.
Just because an EU citizen can access your website doesn't mean they're automatically entitled to GDPR protection. There must be some intent on your part to market your services towards them.
Recital 24: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Profiled
If you're monitoring how EU citizens behave, whether it's for marketing or other analytics purposes, you're bound by the GDPR.
Recital 25: Applicable to Processors Due to International Law
Whenever EU law applies according to international forum rules, the GDPR applies.
Recital 26: Not Applicable to Anonymous Data
If you anonymise data and it's no longer possible to convincingly identify a named individual the GDPR doesn't apply.
So, if you've anonymised data for statistical purposes or scientific research, and it's impossible to "unscramble" this data and identify anyone, it's exempt.
Recital 27: Not Applicable to Data of Deceased Persons
Data belonging to a deceased person isn't protected by the GDPR.
Recital 28: Introduction of Pseudonymisation
You can use pseudonymisation to protect personal data.
Recital 29: Pseudonymisation at the Same Controller
The same controller can simultaneously use pseudonymisation techniques on personal data while using it for another purpose, so long as data protection measures are enforced at all times.
Recital 30: Online Identifiers for Profiling and Identification
It's possible to identify people using tools like cookies and IP addresses, so these "identifiers" should be treated like personal data.
Anything that leaves a "mark" that can be traced back to an identifiable individual is subject to GDPR.
Recital 31: Not Applicable to Public Authorities in Connection with Their Official Tasks
Public authorities, such as the tax office, don't need to comply with the GDPR when they're carrying out their legally-assigned tasks.
Recital 32: Conditions for Consent
Under the GDPR, you often need user consent to collect personal data. Consent is only valid if it is:
- Clear
- Specific
- Given freely
- Informed
You can't "bundle" consent e.g. you can't assume that someone who consents to receiving an email newsletter also consents to telephone or mail marketing.
You can't assume that "silence" equals consent.
Recital 33: Consent to Certain Areas of Scientific Research
If you're collecting data for scientific research, you must give people the opportunity to specify what kind of research you can use their data for.
Recital 34: Genetic Data
Genetic data is any data relating to someone's acquired or inherited characteristics, obtained by biological analysis.
Recital 35: Health Data
Health data gives information on someone's past, future, or current state of mental or physical health.
Recital 36: Determination of the Main Establishment
Which Member State supervisory authority has jurisdiction over a company depends on where it holds its "main establishment" or primary place of business in the EU.
Data Controller
A data controller's "main establishment" is wherever they make decisions regarding personal data processing. This isn't necessarily the same place where they process data.
Data Processor
A data processor's main base is its:
- Place of business within the EU, or
- Wherever in the EU it processes data
Both Controller and Processor
If a company is both a data processor and data controller, it's controlled by the Member State where it has its main place of business.
Recital 37: Enterprise Group
An "enterprise group" is a group of undertakings.
A group of undertakings is one primary business which exerts meaningful control over smaller companies.
Recital 38: Special Protection of Children's Personal Data
Since children are less likely to understand the consequences of sharing their data with others, they're afforded special protection by the GDPR.
Recital 39: Principles of Data Processing
This Recital elaborates on the GDPR's major data protection principles set out in Article 5.
- Data processing must be lawful, transparent, and fair
- You should only capture as much data as necessary to fulfill a specific purpose
- Data shouldn't be kept any longer than necessary
- You must inform users of the risks associated with sharing data online and show them how they can exercise their rights
- You must correct inaccurate data or delete it if requested
- Prioritise confidentiality at all times
Recital 40: Lawfulness of Data Processing
Data processing can only be legal if it's based on:
- An individual's clear, unequivocal, informed consent
- Necessity e.g. to fulfill an essential contract between the parties
- A legitimate business interest
- Public interest
Recital 41: Legal Basis or Legislative Measures
Under the GDPR, "legal basis" doesn't always mean a legal basis derived from some piece of legislation.
Recital 42: Burden of Proof and Requirements for Consent
You must show proof that you obtained someone's free, informed consent if you're relying on user consent.
You must also prove that it's easy for users to withdraw consent and that you've told them how to exercise this right.
Recital 43: Freely Given Consent
Consent isn't freely given if there's an obvious imbalance in power between the individual and the controller e.g. if they're a public authority such as the HMRC.
If you block a customer from completing a contract until they consent to marketing activities unrelated to this contract, this isn't freely given consent.
Recital 44: Performance of a Contract
Contractual performance is a lawful basis for data processing.
Recital 45: Fulfillment of Legal Obligations
Fulfilling a legal obligation constitutes a lawful basis if you can show the task has a genuine basis in Member State or Union law.
Recital 46: Vital Interests of the Data Subject
You can process personal data if it's in someone's vital interests only if they're unable to consent themselves.
Recital 47: Overriding Legitimate Interest
You don't need consent if you have a legitimate business interest in processing data in a particular way e.g. using existing customer data for customer profiling. However, you can't use this basis to override the individual's legitimate interests.
Recital 48: Overriding Legitimate Interest Within Group of Undertakings
Sometimes, there's a legitimate interest for one undertaking within the group to share data with the others.
Recital 49: Network and Information Security as Overriding Legitimate Interest
You can process personal data to test the security of your network if you can demonstrate that it's a legitimate business interest to do so, and that it improves your cybersecurity which protects data subjects.
Recital 50: Further Processing of Personal Data
Generally, you can only process personal data for the reason you originally acquired it.
Exceptions include:
- When further processing is compatible with the reasons why you collected it in the first place i.e. individuals could reasonably expect you to use the data in this way
- You're archiving it
- You're using it for scientific research
- It's in the public interest
Recital 51: Protecting Sensitive Personal Data
Typically, you shouldn't process certain types of personal data unless you have express permission or you're a public body exercising a legitimate interest.
Sensitive personal data, defined in Article 9, includes:
- Biometric data
- Religious and trade union affiliations
- Sexual orientation
Recital 52: Exceptions to the Prohibition on Processing Special Categories of Personal Data
Public authorities can process special categories of personal data in very specific circumstances.
Recital 53: Processing of Sensitive Data in Health and Social Sector
It's necessary for healthcare bodies to process sensitive data to provide cross-border healthcare services throughout the EU.
Recital 54: Processing of Sensitive Data in Public Health Sector
Authorities may process sensitive data without consent to pursue public interest matters including pandemic monitoring.
Recital 55: Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities
It's in the public interest for official government bodies to collect religious data if it's used to further the legitimate aims of a recognized religious body.
Recital 56: Processing Personal Data on People's Political Opinions by Parties
Political parties can process data for electoral purposes if this activity is required by Member State law.
Recital 57: Additional Data for Identification Purposes
If you're a data controller holding some personal data, but you can't specifically identify who it belongs to, it's not your responsibility to find out.
Recital 58: The Principle of Transparency
You need to be transparent about your data processing practices and explain them in a user-friendly way i.e. through a Privacy Policy.
Recital 59: Procedures for the Exercise of the Rights of Data Subjects
It's your responsibility to:
- Help people exercise their data rights
- Provide people with copies of the personal data you hold on them
Recital 60: Information Obligation
You should tell people why you need their data and what happens to it.
Recital 61: Time of Information
You must give someone access to your Privacy Policy at the point of collecting personal data.
An exception is where you get their data from a third party-in this case, you need to notify them about your Privacy Policy within a reasonable period.
Recital 62: Exceptions to the Obligation to Provide Information
If you're using personal data for archiving or statistical purposes, it may be disproportionate to expect you to contact the individuals involved.
Recital 63: Right of Access
If you hold someone's personal data, they have a right to access it.
Recital 64: Identity Verification
Take proportionate steps to verify someone's identification before releasing personal data to them.
Recital 65: Right of Rectification and Erasure
Individuals have the right to request that you delete or amend their personal data.
You must comply with an erasure request unless there's a legitimate reason.
Recital 66: Right to be Forgotten
If someone wants you to "forget" them and delete their personal data, you must communicate this request to third parties that hold this particular information.
Recital 67: Restriction of Processing
If you process someone's personal data, they can ask you to stop using it in a certain way.
Recital 68: Right of Data Portability
An individual has the right to request a copy of the data you hold on them in a portable format.
Recital 69: Right to Object
Even if you're processing data in the public interest, the data subject can object. It's on you to demonstrate why your interest supersedes their personal data rights.
Recital 70: Right to Object to Direct Marketing
Without exception, people have the right to object to marketing communications, and you must comply.
Recital 71: Profiling
Someone can object if you make decisions about them based on their past behavior. An example could be automatically refusing someone credit based on their profile.
If you do use personal data for profiling, you must give people the chance to reject your decision and argue their case based on a wider range of facts.
Recital 72: Guidance of the European Data Protection Board Regarding Profiling
Profiling falls under the scope of the GDPR.
Recital 73: Restrictions of Rights and Principles
When permissible under EU human rights law, Member States can restrict someone's ability to exercise their data rights.
Recital 74: Responsibility and Liability of the Controller
Liability for GDPR compliance falls to the data controller.
Recital 75: Risks to the Rights and Freedoms of Natural Persons
Data processing may cause harm to the individual, including reputation damage and financial losses in the event of a data breach.
Recital 76: Risk Assessment
It's on the controller or processor to determine what the risk factors referred to in Recital 75 are.
Recital 77: Risk Assessment Guidelines
Suggestions can be made by the Board or data protection officers for how to manage risk factors.
Recital 78: Appropriate Technical and Organisational Measures
Data protection should be the default position within your organisation. This is known as "data protection by design and default" and includes measures like cybersecurity.
Recital 79: Allocation of the Responsibilities
Data controllers must be clear on who has responsibility for GDPR compliance when there are multiple controllers or they're working with a processor.
Recital 80: Designation of a Representative
If you're based outside the EU, you must nominate an EU representative if you handle special categories of data.
Recital 81: The Use of Processors
Data controllers must obtain proof that their chosen data processor complies with the GDPR.
Recital 82: Record of Processing Activities
Controllers and processors should keep records of their processing activities unless it's disproportionate.
Recital 83: Security of Processing
Safeguard against the risks associated with data processing by using techniques such as encryption.
Recital 84: Risk Evaluation and Impact Assessment
If you're handling high-risk data, conduct an impact assessment to determine how you can mitigate risks. Always check with your supervisory authority before proceeding if you're unsure.
Recital 85: Notification Obligation of Breaches to the Supervisory Authority
Controllers have a duty to report data breaches to their supervisory authority within 72 hours of discovering the breach.
An exception is when the risk doesn't pose harm to anyone.
Recital 86: Notification of Data Subjects in Case of Data Breaches
You must also notify individuals if a data breach affects them. Do this without delay.
Recital 87: Promptness of Reporting/Notification
You should always notify affected individuals as soon as possible, particularly if it's a serious data breach.
Recital 88: Format and Procedures of the Notification
It's sometimes in the legitimate interests of public authorities to withhold information about a data breach until a later date.
Recital 89: Elimination of the General Reporting Requirement
There's no need to report every single data processing activity to the supervisory authorities.
Recital 90: Data Protection Impact Assessment
Data protection impact assessments must be carried out by controllers handling high-risk data.
Recital 91: Necessity of a Data Protection Impact Assessment
Even if the data you process isn't high risk, conduct an impact assessment if you handle large volumes of information or make significant automated decisions.
Recital 92: Broader Data Protection Impact Assessment
Sometimes, a single impact assessment affects an entire industry or multiple controllers.
Recital 93: Data Protection Impact Assessment at Authorities
Member States can undertake country-wide impact assessments.
Recital 94: Consultation of the Supervisory Authority
Consult with the supervisory authority if your impact assessment shows that you don't have the procedures in place for protecting high-risk data, and you're unsure how to remedy this.
Recital 95: Support by the Processor
Processors should support impact assessments undertaken by their controllers, where possible.
Recital 96: Consultation of the Supervisory Authority in the Course of a Legislative Process
Supervisory authorities oversee the implementation of new data processing regulations.
Recital 97: Data Protection Officer
Controllers processing large volumes of personal data or handling special category data may be expected to appoint a designated Data Protection Officer. This DPO should be impartial even if they're a company employee.
Recital 98: Preparation of Codes of Conduct by Organisations and Associations
Associations should draw up Codes of Conduct for data processing to support their members.
Recital 99: Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct
Consider the views of affected individuals when drawing up a Code of Conduct.
Recital 100: Certification
Member States should provide certification to professional bodies and companies that demonstrate good GDPR compliance.
Recital 101: General Principles for International Data Transfers
If you transfer data to a third country i.e. a country outside the EU, you must comply with the GDPR.
Recital 102: International Agreements for an Appropriate Level of Data Protection
EU Member States can enter their own (compliant) agreements with third countries.
Recital 103: Appropriate Level of Data Protection Based on an Adequacy Decision
The European Commission can "approve" a third country as being GDPR compliant. You can freely exchange information with these territories.
Recital 104: Criteria for an Adequacy Decision
To become an approved country, the national privacy laws must be comparable to the GDPR.
Recital 105: Consideration of International Agreements for an Adequacy Decision
Signing up to international data protection agreements can improve a third country's chance of securing approved status.
Recital 106: Monitoring and Periodic Review of the Level of Data Protection
Approved countries are periodically reviewed.
Recital 107: Amendment, Revocation and Suspension of Adequacy Decisions
The Commission can remove countries from the approved list.
Recital 108: Appropriate Safeguards
If you're transferring data to a non-approved country, you should put appropriate safeguards in place such as a contractual agreement that guarantees the protection of data protection rights.
Recital 109: Standard Data Protection Clauses
You can use standardised clauses provided by your supervisory authority for your third country agreements.
Recital 110: Binding Corporate Rules
If one undertaking in a group of undertakings is based in a third country, there must be binding corporate rules in place to regulate safe data transfer between the organisations.
Recital 111: Exceptions for Certain Cases of International Transfers
You can forego the rules around third country transfers if the affected individual explicitly consents to it or it's in the public interest.
Recital 112: Data Transfers due to Important Reasons of Public Interest
When it's necessary for humanitarian aims, or to protect life, third country rules can be waived.
Recital 113: Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects
If it's a one-off data transfer and it only affects a small number of people, you can possibly waive third country transfer rules.
Recital 114: Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision
You must ensure that data subjects can exercise their rights if you exchange data with a third country.
Recital 115: Rules in Third Countries Contrary to the Regulation
When third country laws contradict the GDPR, it may not be necessary to comply with them.
Recital 116: Cooperation Among Supervisory Authorities
When there's a cross-border data transfer, supervisory authorities must work together to facilitate it.
Recital 117: Establishment of Supervisory Authorities
There must be at least one supervisory authority per Member State.
Recital 118: Monitoring of the Supervisory Authorities
Supervisory authorities are subject to legal scrutiny.
Recital 119: Organisation of Several Supervisory Authorities of a Member State
Every supervisory authority within a Member State must apply the GDPR consistently.
Recital 120: Features of Supervisory Authorities
Member States must ensure that supervisory authorities have the financial resources they need to fulfill their duties.
Recital 121: Independence of the Supervisory Authorities
Supervisory authority members should always act independently.
Recital 122: Responsibility of the Supervisory Authorities
Supervisory authorities have various duties including GDPR compliance investigations and complaints handling.
Recitals 123: Cooperation of the Supervisory Authorities with Each Other and with the Commission
Supervisory authorities can cooperate with one another.
Recital 124: Lead Authority Regarding Processing in Several Member States
A "lead" supervisory authority must be appointed when data processing affects individuals across two or more Member States.
Recital 125: Competences of the Lead Authority
The lead supervisory authority can make binding decisions that affect the other supervisory authorities.
Recital 126: Joint Decisions
If there's a cross-border data processing complaint, the supervisory authorities should work together to find a solution.
Recital 127: Information of the Supervisory Authority Regarding Local Processing
If there's a small local matter affecting a data processor or controller established across two or more Member States, the local supervisory authority can deal with the issue.
Recital 128: Responsibility Regarding Processing in the Public Interest
When a public authority processes data in the public interest, and someone makes a complaint, the local supervisory authority should always be the one to handle matters.
Recital 129: Tasks and Powers of the Supervisory Authorities
Supervisory authorities can:
- Control data processing
- Handle non-compliance complaints
- Issue sanctions, where appropriate
Member States can offer their respective supervisory authorities more powers.
Recital 130: Consideration of the Authority with which the Complaint has been Lodged
If someone lodges a complaint with the local supervisory authority rather than the lead authority, the lead authority must consider the local authority's opinion when administering sanctions.
Recital 131: Attempt of an Amicable Settlement
Where appropriate, supervisory authorities can handle disputes amicably.
Recital 132: Awareness-Raising Activities and Specific Measures
Each supervisory authority should promote good data compliance practices.
Recital 133: Mutual Assistance and Provisional Measures
Where possible, supervisory authorities should assist each other.
Recital 134: Participation in Joint Operations
Supervisory authorities can conduct joint operations.
Recital 135: Consistency Mechanism
Supervisory authorities should always behave consistently.
Recital 136: Binding Decisions and Opinions of the Board
The European Data Protection Board (EDPB) can judge whether supervisory authorities are behaving consistently.
Recital 137: Provisional Measures
Supervisory authorities can enact temporary measures to protect personal data rights, when appropriate.
Recital 138: Urgency Procedure
Supervisory authorities can act together without regard for consistency when there's an emergency cross-border dispute.
Recital 139: European Data Protection Board
The EDPB can:
- Ensure supervisory authorities cooperate
- Help the authorities apply GDPR properly
Recital 140: Secretariat and Staff of the Board
The EDPB has a secretariat.
Recital 141: Right to Lodge a Complaint
Everyone can complain to their supervisory authority if they're unhappy with a data processing issue.
Recital 142: The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association
Nonprofits with a legitimate interest can support people when they bring complaints against a controller, processor, or supervisory authority.
Recital 143: Judicial Remedies
Data subjects can ask the courts to review an EDPB decision.
Recital 144: Related Proceedings
If someone brings a case against a processor or controller in one court, and there's another similar case already pending in another court, the second case will be suspended until the first case settles.
Recital 145: Choice of Venue
Usually, an individual can sue a controller or processor in either:
- Their own Member State
- Wherever the processor or controller has its main base
Recital 146: Indemnity
Data controllers and processors must compensate affected individuals if there's a data breach unless you can prove you're blameless.
Recital 147: Jurisdiction
There are specific rules for when the GDPR applies in various courts.
Recital 148: Penalties
Financial penalties are always permitted if a company breaches the GDPR, but they're not always issued. It depends on:
- The offence severity
- How quickly it was reported
- Whether it's the first incident
- If the company took steps to mitigate the damage
Recital 149: Penalties for Infringements of National Rules
Member States can establish their own criminal penalties for GDPR breaches.
Recital 150: Administrative Fines
Supervisory authorities have the power to issue fines, so long as they're consistent in how they apply this power.
Recital 151: Administrative Fines in Denmark and Estonia
These countries have their own legal frameworks for applying GDPR fines.
Recital 152: Power of Sanction of the Member States
A Member State can supplement the GDPR penalty framework with its own rules.
Recital 153: Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression
Sometimes, there's a need to prioritise freedom of expression over the GDPR, particularly in the professions mentioned in this Recital.
Recital 154: Principle of Public Access to Official Documents
Freedom of information isn't restricted by the GDPR.
Recital 155: Processing in the Employment Context
There's a need for Member States to legislate on how to process personal data in the employment context. Some employment situations, such as diversity planning, may be exempt from the GDPR.
Recital 156: Processing for Archiving, Scientific or Historical Research or Statistical Purposes
If you're processing personal data for these specific purposes, special safeguards are essential.
It's permissible to use personal data provided for other purposes for the reasons outlined in this Recital so long as the affected individuals can't be identified.
Recital 157: Information from Registries and Scientific Research
Personal data from registries, processed for scientific research purposes, must be protected at all times.
Recital 158: Processing for Archiving Purposes
When Member States process personal data for archiving purposes, the GDPR applies.
Recital 159: Processing for Scientific Research Purposes
For GDPR purposes, scientific research includes public health matters and tech development.
Recital 160: Processing for Historical Research Purposes
With the exception of deceased people, the GDPR covers historical research.
Recital 161: Consenting to the Participation in Clinical Trials
Clinical trials fall outside the scope of the GDPR.
Recital 162: Processing for Statistical Purposes
If statistical data processing makes it impossible to identify the individuals involved, you can use the data for other purposes without getting consent.
Recital 163: Production of European and National Statistics
The GDPR covers statistical research performed on a national or EU-wide level.
Recital 164: Professional or Other Equivalent Secrecy Obligations
Member States can restrict supervisory authority access to restricted data, if it's justified on secrecy grounds.
Recital 165: No Prejudice of the Status of Churches and Religious Associations
The GDPR doesn't affect Member State laws on churches and protected associations.
Recital 166: Delegated Acts of the Commission
If the European Commission wants to make minor changes to existing laws, it can.
Recital 167: Implementing Powers of the Commission
The Commission can implement the GDPR.
Recital 168: Implementing Acts on Standard Clauses
If the Commission implements parts of the GDPR, it should do so only after closely examining the matter, and it should always act consistently.
Recital 169: Immediately Applicable Implementing Acts
The Commission may act urgently, if necessary.
Recital 170: Principle of Subsidiarity Principle of Proportionality
Subsidiarity: The EU has jurisdiction over matters best handled at supranational rather than Member State level.
Proportionality: The EU should do only what's necessary to achieve something, and no more.
Recital 171: Repeal of Directive 95/46/EC and Transitional Provisions
The GDPR replaces this directive.
Recital 172: Consultation of the European Data Protection Supervisor
The European Data Protection Supervisor delivered an opinion on the GDPR in 2012.
Recital 173: Relationship to Directive 2002/58/EC
The EU's ePrivacy Directive is unrelated to the GDPR, but should be read consistently alongside it.