Recitals of the GDPR

The EU's General Data Privacy Regulation (GDPR) contains 99 clauses known as Articles, and 173 Recitals. Although they're not strictly legally binding on their own, the Recitals are critical to understanding the GDPR and applying the privacy law properly.

Here we will work through each GDPR Recital and summarize its main points.

Recital 1: Data Protection as a Fundamental Right

Everyone has the right to protect their personal data.

Recital 2: Respect of the Fundamental Rights and Freedoms

The GDPR promotes security, freedom, and data protection.

Recital 3: Directive 95/46/EC Harmonisation

Laws across Member States should be harmonised to facilitate the free movement of data across the EU territory.

Recital 4: Data Protection in Balance with Other Fundamental Rights

Data protection is not an "absolute" right, so sometimes the law puts other rights first.

Recital 5: Cooperation Between Member States to Exchange Personal Data

Member States are expected to help each other process data safely, securely and efficiently.

Recital 6: Ensuring a High Level of Data Protection Despite the Increased Exchange of Data

As technological advances make it easier for countries to share data, the law must keep pace.

Recital 7: The Framework is Based on Control and Certainty

The GDPR empowers individuals while offering businesses certainty over what they can and can't do with personal data.

Recital 8: Adoption into National Law

A Regulation like the GDPR is binding across all Member States.

Each Member State implements the Regulation in its own way. For example, the UK rolled out the Data Protection Act 2018, and Germany introduced the German Privacy Act (BDSG).

Recital 9: Different Standards of Protection by the Directive 95/46/EC

Member States didn't apply old EU data protection Directives consistently so the Union needed a new legal standard.

Recital 10: Harmonised Level of Data Protection Despite National Scope

Member States can introduce their own rules for processing personal data to the extent permitted by the GDPR, so long as the goal is to harmonise EU data protection law.

Recital 11: Harmonisation of the Powers and Sanctions

Improve data protection across Member States by:

• Setting out what data privacy rights people have
• Explaining how companies and organisations should uphold these rights
• Applying sanctions where relevant

Recital 12: Authorization of the European Parliament and the Council

The European Parliament and the Council can make and enforce data protection laws.

Recital 13: Taking Account of Micro, Small and Medium-Sized Enterprises

Companies with 250 or fewer employees don't need to record all their data processing activities because it's unduly onerous.

Member States should remember that SMEs have unique needs and it's disproportionate to expect them to have the same processing and record-keeping requirements as large corporations.

Read this Recital alongside GDPR Article 30.

Recital 14: Not Applicable to Legal Persons

The GDPR doesn't protect legal persons e.g. companies. It only protects natural persons i.e. people.

Recital 15: Technology Neutrality

The GDPR is tech neutral and applies on or offline with very limited exceptions.

Recital 16: Not Applicable to Activities Regarding National and Common Security

Some matters, such as national security, are controlled at Member State level. The EU has no jurisdiction over these issues and the GDPR doesn't apply.

Recital 17: Adaptation of Regulation (EC) No 45/2001

Member States must adapt existing EU data protection law so that it's compatible with the GDPR.

Recital 18: Not Applicable to Personal or Household Activities

Data collected for personal, home, or private use isn't covered by the GDPR.

Recital 19: Not Applicable to Criminal Prosecution

Criminal prosecution is devolved to Member States so it doesn't fall under the EU's jurisdiction, with few exceptions.

Recital 20: Respecting the Independence of the Judiciary

The law courts are impartial and the EU's supervisory bodies have no jurisdiction over judicial bodies exercising their duties.

Recital 21: Liability Rules of Intermediary Service Providers Shall Remain Unaffected

The GDPR doesn't affect the EU's Electronic Commerce Directive so far as it applies to intermediaries such as internet service provider companies.

Recital 22: Processing by an Establishment

If your organization or business is based in the EU, it doesn't matter where your data processing takes place. The GDPR applies.

Recital 23: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Targeted

If you plan on marketing your goods or services to EU citizens ("data subjects"), you must comply with the GDPR even if you're not based in the EU.

Just because an EU citizen can access your website doesn't mean they're automatically entitled to GDPR protection. There must be some intent on your part to market your services towards them.

Recital 24: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Profiled

If you're monitoring how EU citizens behave, whether it's for marketing or other analytics purposes, you're bound by the GDPR.

Recital 25: Applicable to Processors Due to International Law

Whenever EU law applies according to international forum rules, the GDPR applies.

Recital 26: Not Applicable to Anonymous Data

If you anonymise data and it's no longer possible to convincingly identify a named individual the GDPR doesn't apply.

So, if you've anonymised data for statistical purposes or scientific research, and it's impossible to "unscramble" this data and identify anyone, it's exempt.

Recital 27: Not Applicable to Data of Deceased Persons

Data belonging to a deceased person isn't protected by the GDPR.

Recital 28: Introduction of Pseudonymisation

You can use pseudonymisation to protect personal data.

Recital 29: Pseudonymisation at the Same Controller

The same controller can simultaneously use pseudonymisation techniques on personal data while using it for another purpose, so long as data protection measures are enforced at all times.

Recital 30: Online Identifiers for Profiling and Identification

It's possible to identify people using tools like cookies and IP addresses, so these "identifiers" should be treated like personal data.

Anything that leaves a "mark" that can be traced back to an identifiable individual is subject to GDPR.

Recital 31: Not Applicable to Public Authorities in Connection with Their Official Tasks

Public authorities, such as the tax office, don't need to comply with the GDPR when they're carrying out their legally-assigned tasks.

Recital 32: Conditions for Consent

Under the GDPR, you often need user consent to collect personal data. Consent is only valid if it is:

• Clear
• Specific
• Given freely
• Informed

You can't "bundle" consent e.g. you can't assume that someone who consents to receiving an email newsletter also consents to telephone or mail marketing.

You can't assume that "silence" equals consent.

Recital 33: Consent to Certain Areas of Scientific Research

If you're collecting data for scientific research, you must give people the opportunity to specify what kind of research you can use their data for.

Recital 34: Genetic Data

Genetic data is any data relating to someone's acquired or inherited characteristics, obtained by biological analysis.

Recital 35: Health Data

Health data gives information on someone's past, future, or current state of mental or physical health.

Recital 36: Determination of the Main Establishment

Which Member State supervisory authority has jurisdiction over a company depends on where it holds its "main establishment" or primary place of business in the EU.

Data Controller

A data controller's "main establishment" is wherever they make decisions regarding personal data processing. This isn't necessarily the same place where they process data.

Data Processor

A data processor's main base is its:

• Place of business within the EU, or
• Wherever in the EU it processes data

Both Controller and Processor

If a company is both a data processor and data controller, it's controlled by the Member State where it has its main place of business.

Recital 37: Enterprise Group

An "enterprise group" is a group of undertakings.

A group of undertakings is one primary business which exerts meaningful control over smaller companies.

Recital 38: Special Protection of Children's Personal Data

Since children are less likely to understand the consequences of sharing their data with others, they're afforded special protection by the GDPR.

Recital 39: Principles of Data Processing

This Recital elaborates on the GDPR's major data protection principles set out in Article 5.

• Data processing must be lawful, transparent, and fair
• You should only capture as much data as necessary to fulfill a specific purpose
• Data shouldn't be kept any longer than necessary
• You must inform users of the risks associated with sharing data online and show them how they can exercise their rights
• You must correct inaccurate data or delete it if requested
• Prioritise confidentiality at all times

Recital 40: Lawfulness of Data Processing

Data processing can only be legal if it's based on:

• An individual's clear, unequivocal, informed consent
• Necessity e.g. to fulfill an essential contract between the parties
• A legitimate business interest
• Public interest

Recital 41: Legal Basis or Legislative Measures

Under the GDPR, "legal basis" doesn't always mean a legal basis derived from some piece of legislation.

Recital 42: Burden of Proof and Requirements for Consent

You must show proof that you obtained someone's free, informed consent if you're relying on user consent.

You must also prove that it's easy for users to withdraw consent and that you've told them how to exercise this right.

Recital 43: Freely Given Consent

Consent isn't freely given if there's an obvious imbalance in power between the individual and the controller e.g. if they're a public authority such as the HMRC.

If you block a customer from completing a contract until they consent to marketing activities unrelated to this contract, this isn't freely given consent.

Recital 44: Performance of a Contract

Contractual performance is a lawful basis for data processing.

Recital 45: Fulfillment of Legal Obligations

Fulfilling a legal obligation constitutes a lawful basis if you can show the task has a genuine basis in Member State or Union law.

Recital 46: Vital Interests of the Data Subject

You can process personal data if it's in someone's vital interests only if they're unable to consent themselves.

Recital 47: Overriding Legitimate Interest

You don't need consent if you have a legitimate business interest in processing data in a particular way e.g. using existing customer data for customer profiling. However, you can't use this basis to override the individual's legitimate interests.

Recital 48: Overriding Legitimate Interest Within Group of Undertakings

Sometimes, there's a legitimate interest for one undertaking within the group to share data with the others.

Recital 49: Network and Information Security as Overriding Legitimate Interest

You can process personal data to test the security of your network if you can demonstrate that it's a legitimate business interest to do so, and that it improves your cybersecurity which protects data subjects.

Recital 50: Further Processing of Personal Data

Generally, you can only process personal data for the reason you originally acquired it.

Exceptions include:

• When further processing is compatible with the reasons why you collected it in the first place i.e. individuals could reasonably expect you to use the data in this way
• You're archiving it
• You're using it for scientific research
• It's in the public interest

Recital 51: Protecting Sensitive Personal Data

Typically, you shouldn't process certain types of personal data unless you have express permission or you're a public body exercising a legitimate interest.

Sensitive personal data, defined in Article 9, includes:

• Biometric data
• Religious and trade union affiliations
• Sexual orientation

Recital 52: Exceptions to the Prohibition on Processing Special Categories of Personal Data

Public authorities can process special categories of personal data in very specific circumstances.

Recital 53: Processing of Sensitive Data in Health and Social Sector

It's necessary for healthcare bodies to process sensitive data to provide cross-border healthcare services throughout the EU.

Recital 54: Processing of Sensitive Data in Public Health Sector

Authorities may process sensitive data without consent to pursue public interest matters including pandemic monitoring.

Recital 55: Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities

It's in the public interest for official government bodies to collect religious data if it's used to further the legitimate aims of a recognized religious body.

Recital 56: Processing Personal Data on People's Political Opinions by Parties

Political parties can process data for electoral purposes if this activity is required by Member State law.

Recital 57: Additional Data for Identification Purposes

If you're a data controller holding some personal data, but you can't specifically identify who it belongs to, it's not your responsibility to find out.

Recital 58: The Principle of Transparency

You need to be transparent about your data processing practices and explain them in a user-friendly way i.e. through a Privacy Policy.

Recital 59: Procedures for the Exercise of the Rights of Data Subjects

It's your responsibility to:

• Help people exercise their data rights
• Provide people with copies of the personal data you hold on them

Recital 60: Information Obligation

You should tell people why you need their data and what happens to it.

Recital 61: Time of Information

You must give someone access to your Privacy Policy at the point of collecting personal data.

An exception is where you get their data from a third party-in this case, you need to notify them about your Privacy Policy within a reasonable period.

Recital 62: Exceptions to the Obligation to Provide Information

If you're using personal data for archiving or statistical purposes, it may be disproportionate to expect you to contact the individuals involved.

Recital 63: Right of Access

If you hold someone's personal data, they have a right to access it.

Recital 64: Identity Verification

Take proportionate steps to verify someone's identification before releasing personal data to them.

Recital 65: Right of Rectification and Erasure

Individuals have the right to request that you delete or amend their personal data.

You must comply with an erasure request unless there's a legitimate reason.

Recital 66: Right to be Forgotten

If someone wants you to "forget" them and delete their personal data, you must communicate this request to third parties that hold this particular information.

Recital 67: Restriction of Processing

If you process someone's personal data, they can ask you to stop using it in a certain way.

Recital 68: Right of Data Portability

An individual has the right to request a copy of the data you hold on them in a portable format.

Recital 69: Right to Object

Even if you're processing data in the public interest, the data subject can object. It's on you to demonstrate why your interest supersedes their personal data rights.

Recital 70: Right to Object to Direct Marketing

Without exception, people have the right to object to marketing communications, and you must comply.

Recital 71: Profiling

Someone can object if you make decisions about them based on their past behavior. An example could be automatically refusing someone credit based on their profile.

If you do use personal data for profiling, you must give people the chance to reject your decision and argue their case based on a wider range of facts.

Recital 72: Guidance of the European Data Protection Board Regarding Profiling

Profiling falls under the scope of the GDPR.

Recital 73: Restrictions of Rights and Principles

When permissible under EU human rights law, Member States can restrict someone's ability to exercise their data rights.

Recital 74: Responsibility and Liability of the Controller

Liability for GDPR compliance falls to the data controller.

Recital 75: Risks to the Rights and Freedoms of Natural Persons

Data processing may cause harm to the individual, including reputation damage and financial losses in the event of a data breach.

Recital 76: Risk Assessment

It's on the controller or processor to determine what the risk factors referred to in Recital 75 are.

Recital 77: Risk Assessment Guidelines

Suggestions can be made by the Board or data protection officers for how to manage risk factors.

Recital 78: Appropriate Technical and Organisational Measures

Data protection should be the default position within your organisation. This is known as "data protection by design and default" and includes measures like cybersecurity.

Recital 79: Allocation of the Responsibilities

Data controllers must be clear on who has responsibility for GDPR compliance when there are multiple controllers or they're working with a processor.

Recital 80: Designation of a Representative

If you're based outside the EU, you must nominate an EU representative if you handle special categories of data.

Recital 81: The Use of Processors

Data controllers must obtain proof that their chosen data processor complies with the GDPR.

Recital 82: Record of Processing Activities

Controllers and processors should keep records of their processing activities unless it's disproportionate.

Recital 83: Security of Processing

Safeguard against the risks associated with data processing by using techniques such as encryption.

Recital 84: Risk Evaluation and Impact Assessment

If you're handling high-risk data, conduct an impact assessment to determine how you can mitigate risks. Always check with your supervisory authority before proceeding if you're unsure.

Recital 85: Notification Obligation of Breaches to the Supervisory Authority

Controllers have a duty to report data breaches to their supervisory authority within 72 hours of discovering the breach.

An exception is when the risk doesn't pose harm to anyone.

Recital 86: Notification of Data Subjects in Case of Data Breaches

You must also notify individuals if a data breach affects them. Do this without delay.

Recital 87: Promptness of Reporting/Notification

You should always notify affected individuals as soon as possible, particularly if it's a serious data breach.

Recital 88: Format and Procedures of the Notification

It's sometimes in the legitimate interests of public authorities to withhold information about a data breach until a later date.

Recital 89: Elimination of the General Reporting Requirement

There's no need to report every single data processing activity to the supervisory authorities.

Recital 90: Data Protection Impact Assessment

Data protection impact assessments must be carried out by controllers handling high-risk data.

Recital 91: Necessity of a Data Protection Impact Assessment

Even if the data you process isn't high risk, conduct an impact assessment if you handle large volumes of information or make significant automated decisions.

Recital 92: Broader Data Protection Impact Assessment

Sometimes, a single impact assessment affects an entire industry or multiple controllers.

Recital 93: Data Protection Impact Assessment at Authorities

Member States can undertake country-wide impact assessments.

Recital 94: Consultation of the Supervisory Authority

Consult with the supervisory authority if your impact assessment shows that you don't have the procedures in place for protecting high-risk data, and you're unsure how to remedy this.

Recital 95: Support by the Processor

Processors should support impact assessments undertaken by their controllers, where possible.

Recital 96: Consultation of the Supervisory Authority in the Course of a Legislative Process

Supervisory authorities oversee the implementation of new data processing regulations.

Recital 97: Data Protection Officer

Controllers processing large volumes of personal data or handling special category data may be expected to appoint a designated Data Protection Officer. This DPO should be impartial even if they're a company employee.

Recital 98: Preparation of Codes of Conduct by Organisations and Associations

Associations should draw up Codes of Conduct for data processing to support their members.

Recital 99: Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct

Consider the views of affected individuals when drawing up a Code of Conduct.

Recital 100: Certification

Member States should provide certification to professional bodies and companies that demonstrate good GDPR compliance.

Recital 101: General Principles for International Data Transfers

If you transfer data to a third country i.e. a country outside the EU, you must comply with the GDPR.

Recital 102: International Agreements for an Appropriate Level of Data Protection

EU Member States can enter their own (compliant) agreements with third countries.

Recital 103: Appropriate Level of Data Protection Based on an Adequacy Decision

The European Commission can "approve" a third country as being GDPR compliant. You can freely exchange information with these territories.

Recital 104: Criteria for an Adequacy Decision

To become an approved country, the national privacy laws must be comparable to the GDPR.

Recital 105: Consideration of International Agreements for an Adequacy Decision

Signing up to international data protection agreements can improve a third country's chance of securing approved status.

Recital 106: Monitoring and Periodic Review of the Level of Data Protection

Approved countries are periodically reviewed.

Recital 107: Amendment, Revocation and Suspension of Adequacy Decisions

The Commission can remove countries from the approved list.

Recital 108: Appropriate Safeguards

If you're transferring data to a non-approved country, you should put appropriate safeguards in place such as a contractual agreement that guarantees the protection of data protection rights.

Recital 109: Standard Data Protection Clauses

You can use standardised clauses provided by your supervisory authority for your third country agreements.

Recital 110: Binding Corporate Rules

If one undertaking in a group of undertakings is based in a third country, there must be binding corporate rules in place to regulate safe data transfer between the organisations.

Recital 111: Exceptions for Certain Cases of International Transfers

You can forego the rules around third country transfers if the affected individual explicitly consents to it or it's in the public interest.

Recital 112: Data Transfers due to Important Reasons of Public Interest

When it's necessary for humanitarian aims, or to protect life, third country rules can be waived.

Recital 113: Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects

If it's a one-off data transfer and it only affects a small number of people, you can possibly waive third country transfer rules.

Recital 114: Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision

You must ensure that data subjects can exercise their rights if you exchange data with a third country.

Recital 115: Rules in Third Countries Contrary to the Regulation

When third country laws contradict the GDPR, it may not be necessary to comply with them.

Recital 116: Cooperation Among Supervisory Authorities

When there's a cross-border data transfer, supervisory authorities must work together to facilitate it.

Recital 117: Establishment of Supervisory Authorities

There must be at least one supervisory authority per Member State.

Recital 118: Monitoring of the Supervisory Authorities

Supervisory authorities are subject to legal scrutiny.

Recital 119: Organisation of Several Supervisory Authorities of a Member State

Every supervisory authority within a Member State must apply the GDPR consistently.

Recital 120: Features of Supervisory Authorities

Member States must ensure that supervisory authorities have the financial resources they need to fulfill their duties.

Recital 121: Independence of the Supervisory Authorities

Supervisory authority members should always act independently.

Recital 122: Responsibility of the Supervisory Authorities

Supervisory authorities have various duties including GDPR compliance investigations and complaints handling.

Recitals 123: Cooperation of the Supervisory Authorities with Each Other and with the Commission

Supervisory authorities can cooperate with one another.

Recital 124: Lead Authority Regarding Processing in Several Member States

A "lead" supervisory authority must be appointed when data processing affects individuals across two or more Member States.

Recital 125: Competences of the Lead Authority

The lead supervisory authority can make binding decisions that affect the other supervisory authorities.

Recital 126: Joint Decisions

If there's a cross-border data processing complaint, the supervisory authorities should work together to find a solution.

Recital 127: Information of the Supervisory Authority Regarding Local Processing

If there's a small local matter affecting a data processor or controller established across two or more Member States, the local supervisory authority can deal with the issue.

Recital 128: Responsibility Regarding Processing in the Public Interest

When a public authority processes data in the public interest, and someone makes a complaint, the local supervisory authority should always be the one to handle matters.

Recital 129: Tasks and Powers of the Supervisory Authorities

Supervisory authorities can:

• Control data processing
• Handle non-compliance complaints
• Issue sanctions, where appropriate

Member States can offer their respective supervisory authorities more powers.

Recital 130: Consideration of the Authority with which the Complaint has been Lodged

If someone lodges a complaint with the local supervisory authority rather than the lead authority, the lead authority must consider the local authority's opinion when administering sanctions.

Recital 131: Attempt of an Amicable Settlement

Where appropriate, supervisory authorities can handle disputes amicably.

Recital 132: Awareness-Raising Activities and Specific Measures

Each supervisory authority should promote good data compliance practices.

Recital 133: Mutual Assistance and Provisional Measures

Where possible, supervisory authorities should assist each other.

Recital 134: Participation in Joint Operations

Supervisory authorities can conduct joint operations.

Recital 135: Consistency Mechanism

Supervisory authorities should always behave consistently.

Recital 136: Binding Decisions and Opinions of the Board

The European Data Protection Board (EDPB) can judge whether supervisory authorities are behaving consistently.

Recital 137: Provisional Measures

Supervisory authorities can enact temporary measures to protect personal data rights, when appropriate.

Recital 138: Urgency Procedure

Supervisory authorities can act together without regard for consistency when there's an emergency cross-border dispute.

Recital 139: European Data Protection Board

The EDPB can:

• Ensure supervisory authorities cooperate
• Help the authorities apply GDPR properly

Recital 140: Secretariat and Staff of the Board

The EDPB has a secretariat.

Recital 141: Right to Lodge a Complaint

Everyone can complain to their supervisory authority if they're unhappy with a data processing issue.

Recital 142: The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association

Nonprofits with a legitimate interest can support people when they bring complaints against a controller, processor, or supervisory authority.

Recital 143: Judicial Remedies

Data subjects can ask the courts to review an EDPB decision.

Recital 144: Related Proceedings

If someone brings a case against a processor or controller in one court, and there's another similar case already pending in another court, the second case will be suspended until the first case settles.

Recital 145: Choice of Venue

Usually, an individual can sue a controller or processor in either:

• Their own Member State
• Wherever the processor or controller has its main base

Recital 146: Indemnity

Data controllers and processors must compensate affected individuals if there's a data breach unless you can prove you're blameless.

Recital 147: Jurisdiction

There are specific rules for when the GDPR applies in various courts.

Recital 148: Penalties

Financial penalties are always permitted if a company breaches the GDPR, but they're not always issued. It depends on:

• The offence severity
• How quickly it was reported
• Whether it's the first incident
• If the company took steps to mitigate the damage

Recital 149: Penalties for Infringements of National Rules

Member States can establish their own criminal penalties for GDPR breaches.

Recital 150: Administrative Fines

Supervisory authorities have the power to issue fines, so long as they're consistent in how they apply this power.

Recital 151: Administrative Fines in Denmark and Estonia

These countries have their own legal frameworks for applying GDPR fines.

Recital 152: Power of Sanction of the Member States

A Member State can supplement the GDPR penalty framework with its own rules.

Recital 153: Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression

Sometimes, there's a need to prioritise freedom of expression over the GDPR, particularly in the professions mentioned in this Recital.

Recital 154: Principle of Public Access to Official Documents

Freedom of information isn't restricted by the GDPR.

Recital 155: Processing in the Employment Context

There's a need for Member States to legislate on how to process personal data in the employment context. Some employment situations, such as diversity planning, may be exempt from the GDPR.

Recital 156: Processing for Archiving, Scientific or Historical Research or Statistical Purposes

If you're processing personal data for these specific purposes, special safeguards are essential.

It's permissible to use personal data provided for other purposes for the reasons outlined in this Recital so long as the affected individuals can't be identified.

Recital 157: Information from Registries and Scientific Research

Personal data from registries, processed for scientific research purposes, must be protected at all times.

Recital 158: Processing for Archiving Purposes

When Member States process personal data for archiving purposes, the GDPR applies.

Recital 159: Processing for Scientific Research Purposes

For GDPR purposes, scientific research includes public health matters and tech development.

Recital 160: Processing for Historical Research Purposes

With the exception of deceased people, the GDPR covers historical research.

Recital 161: Consenting to the Participation in Clinical Trials

Clinical trials fall outside the scope of the GDPR.

Recital 162: Processing for Statistical Purposes

If statistical data processing makes it impossible to identify the individuals involved, you can use the data for other purposes without getting consent.

Recital 163: Production of European and National Statistics

The GDPR covers statistical research performed on a national or EU-wide level.

Recital 164: Professional or Other Equivalent Secrecy Obligations

Member States can restrict supervisory authority access to restricted data, if it's justified on secrecy grounds.

Recital 165: No Prejudice of the Status of Churches and Religious Associations

The GDPR doesn't affect Member State laws on churches and protected associations.

Recital 166: Delegated Acts of the Commission

If the European Commission wants to make minor changes to existing laws, it can.

Recital 167: Implementing Powers of the Commission

The Commission can implement the GDPR.

Recital 168: Implementing Acts on Standard Clauses

If the Commission implements parts of the GDPR, it should do so only after closely examining the matter, and it should always act consistently.

Recital 169: Immediately Applicable Implementing Acts

The Commission may act urgently, if necessary.

Recital 170: Principle of Subsidiarity Principle of Proportionality

Subsidiarity: The EU has jurisdiction over matters best handled at supranational rather than Member State level.

Proportionality: The EU should do only what's necessary to achieve something, and no more.

Recital 171: Repeal of Directive 95/46/EC and Transitional Provisions

The GDPR replaces this directive.

Recital 172: Consultation of the European Data Protection Supervisor

The European Data Protection Supervisor delivered an opinion on the GDPR in 2012.

Recital 173: Relationship to Directive 2002/58/EC

The EU's ePrivacy Directive is unrelated to the GDPR, but should be read consistently alongside it.