- Article 1 Subject-matter and objectives
- Article 2 Material scope
- Article 3 Territorial scope
- Article 4 Definitions
- Article 5 Principles relating to processing of personal data
- Article 6 Lawfulness of processing
- Article 7 Conditions for consent
- Article 8 Conditions applicable to child's consent in relation to information society services
- Article 9 Processing of special categories of personal data
- Article 10 Processing of personal data relating to criminal convictions and offences
- Article 11 Processing which does not require identification
- Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 13 Information to be provided where personal data are collected from the data subject
- Article 14 Information to be provided where personal data have not been obtained from the data subject
- Article 15 Right of access by the data subject
- Article 16 Right to rectification
- Article 17 Right to erasure (‘right to be forgotten’)
- Article 18 Right to restriction of processing
- Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 Right to data portability
- Article 21 Right to object
- Article 22 Automated individual decision-making, including profiling
- Article 23 Restrictions
- Article 24 Responsibility of the controller
- Article 25 Data protection by design and by default
- Article 26 Joint controllers
- Article 27 Representatives of controllers or processors not established in the Union
- Article 28 Processor
- Article 29 Processing under the authority of the controller or processor
- Article 30 Records of processing activities
- Article 31 Cooperation with the supervisory authority
- Article 32 Security of processing
- Article 33 Notification of a personal data breach to the supervisory authority
- Article 34 Communication of a personal data breach to the data subject
- Article 35 Data protection impact assessment
- Article 36 Prior consultation
- Article 37 Designation of the data protection officer
- Article 38 Position of the data protection officer
- Article 39 Tasks of the data protection officer
- Article 40 Codes of conduct
- Article 41 Monitoring of approved codes of conduct
- Article 42 Certification
- Article 43 Certification bodies
- Article 44 General principle for transfers
- Article 45 Transfers on the basis of an adequacy decision
- Article 46 Transfers subject to appropriate safeguards
- Article 47 Binding corporate rules
- Article 48 Transfers or disclosures not authorised by Union law
- Article 49 Derogations for specific situations
- Article 50 International cooperation for the protection of personal data
- Article 51 Supervisory authority
- Article 52 Independence
- Article 53 General conditions for the members of the supervisory authority
- Article 54 Rules on the establishment of the supervisory authority
- Article 55 Competence
- Article 56 Competence of the lead supervisory authority
- Article 57 Tasks
- Article 58 Powers
- Article 59 Activity reports
- Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned
- Article 61 Mutual assistance
- Article 62 Joint operations of supervisory authorities
- Article 63 Consistency mechanism
- Article 64 Opinion of the Board
- Article 65 Dispute resolution by the Board
- Article 66 Urgency procedure
- Article 67 Exchange of information
- Article 68 European Data Protection Board
- Article 69 Independence
- Article 70 Tasks of the Board
- Article 71 Reports
- Article 72 Procedure
- Article 73 Chair
- Article 74 Tasks of the Chair
- Article 75 Secretariat
- Article 76 Confidentiality
- Article 77 Right to lodge a complaint with a supervisory authority
- Article 78 Right to an effective judicial remedy against a supervisory authority
- Article 79 Right to an effective judicial remedy against a controller or processor
- Article 80 Representation of data subjects
- Article 81 Suspension of proceedings
- Article 82 Right to compensation and liability
- Article 83 General conditions for imposing administrative fines
- Article 84 Penalties
- Article 85 Processing and freedom of expression and information
- Article 86 Processing and public access to official documents
- Article 87 Processing of the national identification number
- Article 88 Processing in the context of employment
- Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Article 90 Obligations of secrecy
- Article 91 Existing data protection rules of churches and religious associations
- Article 92 Exercise of the delegation
- Article 93 Committee procedure
- Article 94 Repeal of Directive 95/46/EC
- Article 95 Relationship with Directive 2002/58/EC
- Article 96 Relationship with previously concluded Agreements
- Article 97 Commission reports
- Article 98 Review of other Union legal acts on data protection
- Article 99 Entry into force and application
- whereas (1)
- whereas (2)
- whereas (3)
- whereas (4)
- whereas (5)
- whereas (6)
- whereas (7)
- whereas (8)
- whereas (9)
- whereas (10)
- whereas (11)
- whereas (12)
- whereas (13)
- whereas (14)
- whereas (15)
- whereas (16)
- whereas (17)
- whereas (18)
- whereas (19)
- whereas (20)
- whereas (21)
- whereas (22)
- whereas (23)
- whereas (24)
- whereas (25)
- whereas (26)
- whereas (27)
- whereas (28)
- whereas (29)
- whereas (30)
- whereas (31)
- whereas (32)
- whereas (33)
- whereas (34)
- whereas (35)
- whereas (36)
- whereas (37)
- whereas (38)
- whereas (39)
- whereas (40)
- whereas (41)
- whereas (42)
- whereas (43)
- whereas (44)
- whereas (45)
- whereas (46)
- whereas (47)
- whereas (48)
- whereas (49)
- whereas (50)
- whereas (51)
- whereas (52)
- whereas (53)
- whereas (54)
- whereas (55)
- whereas (56)
- whereas (57)
- whereas (58)
- whereas (59)
- whereas (60)
- whereas (61)
- whereas (62)
- whereas (63)
- whereas (64)
- whereas (65)
- whereas (66)
- whereas (67)
- whereas (68)
- whereas (69)
- whereas (70)
- whereas (71)
- whereas (72)
- whereas (73)
- whereas (74)
- whereas (75)
- whereas (76)
- whereas (77)
- whereas (78)
- whereas (79)
- whereas (80)
- whereas (81)
- whereas (82)
- whereas (83)
- whereas (84)
- whereas (85)
- whereas (86)
- whereas (87)
- whereas (88)
- whereas (89)
- whereas (90)
- whereas (91)
- whereas (92)
- whereas (93)
- whereas (94)
- whereas (95)
- whereas (96)
- whereas (97)
- whereas (98)
- whereas (99)
- whereas (100)
- whereas (101)
- whereas (102)
- whereas (103)
- whereas (104)
- whereas (105)
- whereas (106)
- whereas (107)
- whereas (108)
- whereas (109)
- whereas (110)
- whereas (111)
- whereas (112)
- whereas (113)
- whereas (114)
- whereas (115)
- whereas (116)
- whereas (117)
- whereas (118)
- whereas (119)
- whereas (120)
- whereas (121)
- whereas (122)
- whereas (123)
- whereas (124)
- whereas (125)
- whereas (126)
- whereas (127)
- whereas (128)
- whereas (129)
- whereas (130)
- whereas (131)
- whereas (132)
- whereas (133)
- whereas (134)
- whereas (135)
- whereas (136)
- whereas (137)
- whereas (138)
- whereas (139)
- whereas (140)
- whereas (141)
- whereas (142)
- whereas (143)
- whereas (144)
- whereas (145)
- whereas (146)
- whereas (147)
- whereas (148)
- whereas (149)
- whereas (150)
- whereas (151)
- whereas (152)
- whereas (153)
- whereas (154)
- whereas (155)
- whereas (156)
- whereas (157)
- whereas (158)
- whereas (159)
- whereas (160)
- whereas (161)
- whereas (162)
- whereas (163)
- whereas (164)
- whereas (165)
- whereas (166)
- whereas (167)
- whereas (168)
- whereas (169)
- whereas (170)
- whereas (171)
- whereas (172)
- whereas (173)
- personal data
- restriction of processing
- filing system
- third party
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- means 29
- personal_data 27
- which 20
- person 18
- natural 18
- processor 16
- processing 15
- controller 15
- union 12
- data 11
- more 8
- such 8
- public 8
- specific 7
- legal 7
- member state 6
- subject 6
- authority 6
- state 6
- member 6
- than 6
- establishment 6
- economic 5
- relating 5
- health 5
- whether 5
- place 5
- supervisory_authority 5
- body 5
- established 5
- information 5
- purposes 5
- particular 4
- agency 4
- activities 4
- substantially 4
- regulation 4
- establishments 3
- regards 3
- processing’ 3
- engaged 3
- decisions 3
- context 3
- central 3
- from 3
- subjects 3
- activity 3
- article 3
- administration 3
- identifiable 3
For the purposes of this Regulation:
‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future;
‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person;
‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller;
‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data;
‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her;
‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed;
‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘ main_establishment’ means:
‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings;
‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity;
‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:
‘cross-border processing’ means either:
‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union;
‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
(1) The protection of natural persons in relation to the processing of per...
(2) The principles of, and rules on the protection of natural persons with...
(3) Directive 95/46/EC of the European Parliament and of the Council (4) ...
(4) The processing of personal_data should be designed to serve mankind. T...
(5) The economic and social integration resulting from the functioning of ...
(6) Rapid technological developments and globalisation have brought new ch...
(7) Those developments require a strong and more coherent data protection ...
(8) Where this Regulation provides for specifications or restrictions of i...
(9) The objectives and principles of Directive 95/46/EC remain sound, but ...
(10) In order to ensure a consistent and high level of protection of natura...
(11) Effective protection of personal_data throughout the Union requires th...
(12) Article 16(2) TFEU mandates the European Parliament and the Council to...
(13) In order to ensure a consistent level of protection for natural person...
(14) The protection afforded by this Regulation should apply to natural per...
(15) In order to prevent creating a serious risk of circumvention, the prot...
(16) This Regulation does not apply to issues of protection of fundamental ...
(17) Regulation (EC) No 45/2001 of the European Parliament and of the Counc...
(18) This Regulation does not apply to the processing of personal_data by a...
(19) The protection of natural persons with regard to the processing of per...
(20) While this Regulation applies, inter alia, to the activities of courts...
(21) This Regulation is without prejudice to the application of Directive 2...
(22) Any processing of personal_data in the context of the activities of an...
(23) In order to ensure that natural persons are not deprived of the protec...
(24) The processing of personal_data of data subjects who are in the Union ...
(25) Where Member State law applies by virtue of public international law, ...
(26) The principles of data protection should apply to any information conc...
(27) This Regulation does not apply to the personal_data of deceased person...
(28) The application of pseudonymisation to personal_data can reduce the ri...
(29) In order to create incentives to apply pseudonymisation when processin...
(30) Natural persons may be associated with online identifiers provided by ...
(31) Public authorities to which personal_data are disclosed in accordance ...
(32) Consent should be given by a clear affirmative act establishing a free...
(33) It is often not possible to fully identify the purpose of personal dat...
(34) Genetic data should be defined as personal_data relating to the inheri...
(35) Personal data_concerning_health should include all data pertaining to ...
(36) The main_establishment of a controller in the Union should be the plac...
(37) A group_of_undertakings should cover a controlling undertaking and its...
(38) Children merit specific protection with regard to their personal_data,...
(39) Any processing of personal_data should be lawful and fair. It should b...
(40) In order for processing to be lawful, personal_data should be processe...
(41) Where this Regulation refers to a legal basis or a legislative measure...
(42) Where processing is based on the data subject's consent, the controlle...
(43) In order to ensure that consent is freely given, consent should not pr...
(44) Processing should be lawful where it is necessary in the context of a ...
(45) Where processing is carried out in accordance with a legal obligation ...
(46) The processing of personal_data should also be regarded to be lawful w...
(47) The legitimate interests of a controller, including those of a control...
(48) Controllers that are part of a group_of_undertakings or institutions a...
(49) The processing of personal_data to the extent strictly necessary and p...
(50) The processing of personal_data for purposes other than those for whic...
(51) Personal data which are, by their nature, particularly sensitive in re...
(52) Derogating from the prohibition on processing special categories of pe...
(53) Special categories of personal_data which merit higher protection shou...
(54) The processing of special categories of personal_data may be necessary...
(55) Moreover, the processing of personal_data by official authorities for ...
(56) Where in the course of electoral activities, the operation of the demo...
(57) If the personal_data processed by a controller do not permit the contr...
(58) The principle of transparency requires that any information addressed ...
(59) Modalities should be provided for facilitating the exercise of the dat...
(60) The principles of fair and transparent processing require that the dat...
(61) The information in relation to the processing of personal_data relatin...
(62) However, it is not necessary to impose the obligation to provide infor...
(63) A data subject should have the right of access to personal_data which ...
(64) The controller should use all reasonable measures to verify the identi...
(65) A data subject should have the right to have personal_data concerning ...
(66) To strengthen the right to be forgotten in the online environment, the...
(67) Methods by which to restrict the processing of personal_data could inc...
(68) To further strengthen the control over his or her own data, where the ...
(69) Where personal_data might lawfully be processed because processing is ...
(70) Where personal_data are processed for the purposes of direct marketing...
(71) The data subject should have the right not to be subject to a decision...
(72) Profiling is subject to the rules of this Regulation governing the pro...
(73) Restrictions concerning specific principles and the rights of informat...
(74) The responsibility and liability of the controller for any processing ...
(75) The risk to the rights and freedoms of natural persons, of varying lik...
(76) The likelihood and severity of the risk to the rights and freedoms of ...
(77) Guidance on the implementation of appropriate measures and on the demo...
(78) The protection of the rights and freedoms of natural persons with rega...
(79) The protection of the rights and freedoms of data subjects as well as ...
(80) Where a controller or a processor not established in the Union is proc...
(81) To ensure compliance with the requirements of this Regulation in respe...
(82) In order to demonstrate compliance with this Regulation, the controlle...
(83) In order to maintain security and to prevent processing in infringemen...
(84) In order to enhance compliance with this Regulation where processing o...
(85) A personal_data breach may, if not addressed in an appropriate and tim...
(86) The controller should communicate to the data subject a personal_data ...
(87) It should be ascertained whether all appropriate technological protect...
(88) In setting detailed rules concerning the format and procedures applica...
(89) Directive 95/46/EC provided for a general obligation to notify the pro...
(90) In such cases, a data protection impact assessment should be carried o...
(91) This should in particular apply to large-scale processing operations w...
(92) There are circumstances under which it may be reasonable and economica...
(93) In the context of the adoption of the Member State law on which the pe...
(94) Where a data protection impact assessment indicates that the processin...
(95) The processor should assist the controller, where necessary and upon r...
(96) A consultation of the supervisory_authority should also take place in ...
(97) Where the processing is carried out by a public authority, except for ...
(98) Associations or other bodies representing categories of controllers or...
(99) When drawing up a code of conduct, or when amending or extending such ...
(100) In order to enhance transparency and compliance with this Regulation, ...
(101) Flows of personal_data to and from countries outside the Union and int...
(102) This Regulation is without prejudice to international agreements concl...
(103) The Commission may decide with effect for the entire Union that a thir...
(104) In line with the fundamental values on which the Union is founded, in ...
(105) Apart from the international commitments the third country or internat...
(106) The Commission should monitor the functioning of decisions on the leve...
(107) The Commission may recognise that a third country, a territory or a sp...
(108) In the absence of an adequacy decision, the controller or processor sh...
(109) The possibility for the controller or processor to use standard data-p...
(110) A group_of_undertakings, or a group of enterprises engaged in a joint ...
(111) Provisions should be made for the possibility for transfers in certain...
(112) Those derogations should in particular apply to data transfers require...
(113) Transfers which can be qualified as not repetitive and that only conce...
(114) In any case, where the Commission has taken no decision on the adequat...
(115) Some third countries adopt laws, regulations and other legal acts whic...
(116) When personal_data moves across borders outside the Union it may put a...
(117) The establishment of supervisory authorities in Member States, empower...
(118) The independence of supervisory authorities should not mean that the s...
(119) Where a Member State establishes several supervisory authorities, it s...
(120) Each supervisory_authority should be provided with the financial and h...
(121) The general conditions for the member or members of the supervisory au...
(122) Each supervisory_authority should be competent on the territory of its...
(123) The supervisory authorities should monitor the application of the prov...
(124) Where the processing of personal_data takes place in the context of th...
(125) The lead authority should be competent to adopt binding decisions rega...
(126) The decision should be agreed jointly by the lead supervisory authorit...
(127) Each supervisory_authority not acting as the lead supervisory authorit...
(128) The rules on the lead supervisory_authority and the one-stop-shop mech...
(129) In order to ensure consistent monitoring and enforcement of this Regul...
(130) Where the supervisory_authority with which the complaint has been lodg...
(131) Where another supervisory_authority should act as a lead supervisory a...
(132) Awareness-raising activities by supervisory authorities addressed to t...
(133) The supervisory authorities should assist each other in performing the...
(134) Each supervisory_authority should, where appropriate, participate in j...
(135) In order to ensure the consistent application of this Regulation throu...
(136) In applying the consistency mechanism, the Board should, within a dete...
(137) There may be an urgent need to act in order to protect the rights and ...
(138) The application of such mechanism should be a condition for the lawful...
(139) In order to promote the consistent application of this Regulation, the...
(140) The Board should be assisted by a secretariat provided by the European...
(141) Every data subject should have the right to lodge a complaint with a s...
(142) Where a data subject considers that his or her rights under this Regul...
(143) Any natural or legal person has the right to bring an action for annul...
(144) Where a court seized of proceedings against a decision by a supervisor...
(145) For proceedings against a controller or processor, the plaintiff shoul...
(146) The controller or processor should compensate any damage which a perso...
(147) Where specific rules on jurisdiction are contained in this Regulation,...
(148) In order to strengthen the enforcement of the rules of this Regulation...
(149) Member States should be able to lay down the rules on criminal penalti...
(150) In order to strengthen and harmonise administrative penalties for infr...
(151) The legal systems of Denmark and Estonia do not allow for administrati...
(152) Where this Regulation does not harmonise administrative penalties or w...
(153) Member States law should reconcile the rules governing freedom of expr...
(154) This Regulation allows the principle of public access to official docu...
(155) Member State law or collective agreements, including ‘works agreemen...
(156) The processing of personal_data for archiving purposes in the public i...
(157) By coupling information from registries, researchers can obtain new kn...
(158) Where personal_data are processed for archiving purposes, this Regulat...
(159) Where personal_data are processed for scientific research purposes, th...
(160) Where personal_data are processed for historical research purposes, th...
(161) For the purpose of consenting to the participation in scientific resea...
(162) Where personal_data are processed for statistical purposes, this Regul...
(163) The confidential information which the Union and national statistical ...
(164) As regards the powers of the supervisory authorities to obtain from th...
(165) This Regulation respects and does not prejudice the status under exist...
(166) In order to fulfil the objectives of this Regulation, namely to protec...
(167) In order to ensure uniform conditions for the implementation of this R...
(168) The examination procedure should be used for the adoption of implement...
(169) The Commission should adopt immediately applicable implementing acts w...
(170) Since the objective of this Regulation, namely to ensure an equivalent...
(171) Directive 95/46/EC should be repealed by this Regulation. Processing a...
(172) The European Data Protection Supervisor was consulted in accordance wi...
(173) This Regulation should apply to all matters concerning the protection ...