GDPR Regulation (Breakdown of GDPR Text Article By Article)

In this article, we will cover the entire GDPR Regulation and break down the GDPR text article by article so you can quickly understand its scope and content.

GDPR is the General Data Protection Regulation and it represents the European version of data protection and data privacy legislation.

It is an extensive and strict set of rules governing how individuals and organizations collect, process and store personal information.

The GDPR text started producing legal effects as of May 25, 2018, and it is binding upon all the European Union member countries.

In this article, we will look at each article of GDPR and provide you with a high-level overview of the rights and obligations contained in this extensive regulation.

Are you ready?

Let’s get started!!!

Chapter I: General Provisions

Article 1 GDPR – Subject-Matter And Objectives

The first article of GDPR is about its subject-matter and objectives.

Essentially, GDPR provides for the rules and regulations to protect the processing of personal data relating to natural persons or physical individuals.

The objective of GDPR is to protect their personal data considered part of an individual’s rights and freedom.

What’s also notable in Article 1 of GDPR is that the regulation makes it clear that data protection should not restrict or limit the free movement of data within the European Union.

Read our post on Article 1 GDPR for a more detailed summary of the GDPR regulation regarding its subject-matter and objectives.

Article 2 GDPR – Material Scope

Article 2 of the GDPR regulation relates to its material scope.

The GDPR regulation will apply to all processing activities of personal data.

The processing can be:

1. Wholly automated
2. Partly automated
3. Other than by automated means which form part of a filing system

GDPR will not apply in the following scenarios:

1. Processing activities fall outside of the scope of the European Union law
2. Activities of the EU member countries within the scope of the Treaty of European Union
3. A person using personal data purely for personal reasons or for the needs of their household 
4. By the authorities to prevent and prosecute crimes and for the protection of public security

Also, GDPR does not affect the application of Directive 2000/31/EC relating to electronic commerce except for the liability aspect.

Read our post on Article 2 GDPR for a more detailed summary of the GDPR regulation regarding its material scope.

Article 3 GDPR – Territorial Scope

GDPR will apply to the processing of personal data by a data controller or processor established in the Europen Union regardless of whether or not the data processing actually occurred in Europe or not.

GDPR will apply to foreign organizations outside of the European Union provided they process personal data of individuals, or data subjects, located in Europe.

Read our post on Article 3 GDPR for a more detailed summary of the GDPR regulation regarding its territorial scope.

Article 4 GDPR – Definitions

GDPR defines important concepts and we’ll provide you with a few of the defined terms here.

What’s interesting is that the term data subject is not formally defined in GDPR.

It’s meaning is derived parenthetically throughout the GDPR regulation.

Here are some important terms defined:

• Consent 
• Controller 
• Cross-border processing
• Enterprise 
• Main establishment 
• Personal data 
• Processing 
• Processor 
• Profiling 

Read our post on Article 4 GDPR for a more detailed summary of the GDPR regulation regarding its definitions.

Chapter II: Principles 

Article 5 GDPR – Principles Relating To Processing of Personal Data

Article 5 of GDPR sets the stage for the foundational principles individuals and organizations must adhere to in processing personal data.

The following are the 7 GDPR guiding principles

1. Lawfulness, fairness and transparency 
2. Purpose limitation 
3. Data minimisation
4. Accuracy 
5. Storage limitation 
6. Integrity and confidentiality
7. Accountability

Read our post on Article 5 GDPR for a more detailed summary of the GDPR regulation regarding the GDPR guiding principles.

Article 6 GDPR – Lawfulness of Processing

Data processing can be considered lawful under Article 6 of GDPR in the following circumstances:

1. When consent is obtained for a specific purpose
2. Processing is necessary for the performance of a contract with the data subject
3. Processing is necessary to take steps to enter into a contract
4. For compliance with a legal obligation
5. To protect the vital interests of the data subject or of another person
6. When it’s necessary for the interest of the public
7. When required by an official authority vested in the controller
8. When it’s necessary for the legitimate interest of the controller or a third party except if the data subject’s fundamental rights and freedoms override such interests 

Read our post on Article 6 GDPR for a more detailed summary of the GDPR regulation regarding the lawfulness of processing.

Article 7 GDPR – Conditions For Consent

Article 7 of GDPR outlines the conditions needed for a data subject to provide valid consent authorizing data controllers to collect, process and store personal data.

When an organization processes personal data on the basis of the consent of a data subject, the company must be able to justify and prove that the data subject has consented to the processing of personal data.

The law allows individuals to be able to withdraw their consent at any given time.

Read our post on Article 7 GDPR for a more detailed summary of the GDPR regulation regarding the conditions for getting consent.

Article 8 GDPR – Conditions Applicable To Child’s Consent In Relation To Information Society Services

When the processing of personal data is based on consent in regards to the offer of information society services, a child who is of 16 years of age or more can give lawful consent.

If the child is below the age of 16, then the parents of the child or those who have the legal responsibility of the child should give their consent for the child.

Read our post on Article 8 GDPR for a more detailed summary of the GDPR regulation regarding the conditions related to getting consent from a child.

Article 9 GDPR – Processing of Special Categories of Personal Data

GDPR specifically names different categories of personal data that are quite important to individuals and therefore the processing should be prohibited.

These categories are:

1. Racial data
2. Ethnic origin
3. Political opinions
4. Religious beliefs
5. Philosophical beliefs
6. Trade union membership
7. Genetic data
8. Biometric data for identifying a person
9. Health data
10. Data on a person’s sex life
11. Data on a person’s sexual orientation 

In certain cases, the processing of the special categories of data can be possible when:

1. The data subject has given explicit consent 
2. The processing is necessary to carry out an obligation and exercise a right in the field of employment, social security, social protection or collective agreement regarding a fundamental right 
3. For the vital interest of the data subject or a person not capable of giving consent
4. For a legitimate activity with appropriate safeguards by a foundation, association or not-for-profit organization 
5. If the data is made public by the data subject 
6. When the processing is necessary to exercise a legal claim or defence 
7. When it’s necessary for the public interest 
8. For the rendering of health or social care services 
9. When it’s necessary for the public interest in the area of health to prevent cross-border threats to health
10. When it’s necessary for archiving, scientific or historical research purposes in the public interest 

Read our post on Article 9 GDPR for a more detailed summary of the GDPR regulation regarding the processing of special categories of personal data.

Article 10 GDPR – Processing of Personal Data Relating To Criminal Convictions And Offences

GDPR states that the processing of personal data as it relates to criminal convictions and offences can only be done by the official authority of each European Union member state or the European Union.

Read our post on Article 10 GDPR for a more detailed summary of the GDPR regulation regarding the processing of personal data related to criminal convictions and offences.

Article 11 GDPR – Processing Which Does Not Require Identification

If data processing does not allow the identification of a person, the data controller does not have an obligation to collect personal information for the purpose of identifying the data subject.

Read our post on Article 11 GDPR for a more detailed summary of the GDPR regulation regarding the processing which does not require the identification of a person.

Chapter III: Rights of The Data Subjects

Article 12 GDPR – Transparent Information, Communication And Modalities For The Exercise of The Rights of The Data Subject

Data controllers must provide any informed needed by individuals relating to:

1. Instances when the data controller collects, stores and processes personal data relating to the data subject 
2. Instances when the data controller receives personal data from another source

If a person wants to exercise a right under GDPR, data controllers must provide any information required to comply.

Read our post on Article 12 GDPR for a more detailed summary of the GDPR regulation regarding the obligation of transparent information and communication to data subjects.

Article 13 GDPR – Information To Be Provided Where Personal Data Are Collected From The Data Subject

Companies are required to give the following information to ensure fair and transparent processing of personal data:

1. For how long personal data will be stored 
2. Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability 
3. If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done prior to the withdrawal 
4. The person’s right to file a complaint with a supervisory authority 
5. Notification of the need for personal data is a legal requirement or a contractual one, or necessary for the organization to enter into a contract with the person along with the possible consequences if the information is not given 
6. Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences 

Read our post on Article 13 GDPR for a more detailed summary of the GDPR regulation regarding the disclosure obligation when collecting personal data.

Article 14 GDPR – Information To Be Provided Where Personal Data Have Not Been Obtained From The Data Subject

Companies are required to give the following information to ensure fair and transparent processing of personal data:

1. For how long personal data will be stored 
2. If the processing is based on the company’s legitimate interest, a description of its interests 
3. Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability 
4. If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done prior to the withdrawal 
5. The person’s right to file a complaint with a supervisory authority
6. The source where the personal data was obtained and if the data came from a public source 
7. Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences

Read our post on Article 14 GDPR for a more detailed summary of the GDPR regulation regarding the disclosure obligation when personal data was collected from another source than the data subject.

Article 15 GDPR – Right of Access By The Data Subject

If companies process personal data, GDPR makes it possible for individuals to demand access to personal data to get the following clarifications:

1. What is the purpose of processing their personal data 
2. What type of category of personal data is processed 
3. The recipients of the personal data and if they are in third countries 
4. How long is personal data stored or intended to be stored (Article 15(1)(d) GDPR)
5. Disclosure of the individual’s right to demand the rectification of data, its erasure, restrict its processing or object to such processing 
6. If the personal data was obtained from another source other than directly from the data subject, the source of the data 
7. The existence of any automated decision-making, including profiling, along with information about the logic and impact on the data subject 

Read our post on Article 15 GDPR for a more detailed summary of the GDPR regulation regarding the right to access to personal data by a data subject.

Article 16 GDPR – Right To Rectification

A person has the right to demand that a company rectify inaccurate personal data concerning him or her.

Read our post on Article 16 GDPR for a more detailed summary of the GDPR regulation regarding the right to rectification of personal data.

Article 17 GDPR – Right To Erasure (‘Right To Be Forgotten’)

A company has an obligation to erase the personal data when one of the following conditions apply:

1. The person’s data is no longer necessary for the purpose it was initially collected
2. When the data subject withdraws their consent and where the company has no other legal basis to process the data 
3. When a person objects to the processing of their personal data and the company does not have any overriding legitimate purpose to continue the data processing or a person objects to the processing of personal data for direct marketing purposes 
4. The person’s data was processed unlawfully 
5. When the company must erase the personal data to comply with its legal obligations 
6. When the personal data was collected in relation to an offer of information society services 

Read our post on Article 17 GDPR for a more detailed summary of the GDPR regulation regarding the right to the erasure of personal data.

Article 18 GDPR – Right To Restriction of Processing

In the following circumstances, a person has the right to request that a company restrict the processing of their personal information:

1. During the period of time that the accuracy of the personal data is disputed and the company is looking into it 
2. When the processing of the personal data was not legal but the individual prefers to restrict the data processing than requesting the erasure of the data 
3. When the organization does not need the personal data but are required to restrict the processing as the person will exercise a legal claim or defence 
4. During the period of time that a person has objected to a company’s processing of their personal data and the organization is evaluating if their legitimate interests override the person’s interests 

Read our post on Article 18 GDPR for a more detailed summary of the GDPR regulation regarding the right to restrict the processing of personal data.

Article 19 GDPR – Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

A company has an obligation to inform recipients of personal data or other companies to whom they’ve shared personal data:

1. When they rectify personal data
2. When they erase personal data
3. When they restrict personal data

Read our post on Article 19 GDPR for a more detailed summary of the GDPR regulation regarding the notification obligation of a company in the event of personal data rectification or erasure.

Article 20 GDPR – Right To Data Portability

A person can request that a company provide him or her the content of personal data processed and in the company’s possession as follows:

1. In a structured way
2. In a commonly used format
3. In a machine-readable format

Read our post on Article 20 GDPR for a more detailed summary of the GDPR regulation regarding the right to personal data portability.

Article 21 GDPR – Right To Object

If a person had consented that a company collect, process and store their personal data, the person is given the right to object to the further processing of the personal data.

The right to object also applies to instances when a company performs profiling activities with personal data.

When a person objects to the processing of personal data, the company should no longer process the data.

Read our post on Article 21 GDPR for a more detailed summary of the GDPR regulation regarding the right to object to the processing of personal data.

Article 22 GDPR – Automated Individual Decision-Making, Including Profiling

Individuals have the right not to be subject to automated decision-making processes in such a way that their legal rights can be significantly affected or produce legal effects against the person.

This decision making specifically includes any commercial or business activity that consists of creating a profile on a person, or profiling.

Read our post on Article 22 GDPR for a more detailed summary of the GDPR regulation regarding the right not to be subjected to automated decision-making such as profiling.

Article 23 GDPR – Restrictions

GDPR provides the ability to EU member countries to adopt laws and regulations to restrict the GDPR principles and data subject rights in the following instances:

1. For national security 
2. For national defence 
3. For public security 
4. To protect against crimes and threats to public security 
5. For important objectives of the general public interest such as monetary, budgetary, taxation, public health and social security 
6. To project judicial independence 
7. To protect against breach of ethics by regulated professions 
8. For official authority functions 
9. To protect individuals and the rights and freedoms 
10. To enforce a civil claim 

Read our post on Article 23 GDPR for a more detailed summary of the GDPR regulation regarding the restrictions that an EU member country can impose on the GDPR principles.

Chapter IV: Controller And Processor

Article 24 GDPR – Responsibility of The Controller

GDPR imposes a duty on data controllers or companies collecting personal data to ensure they implement proper safeguards to protect the data.

In the assessment of what can be a reasonable measure, from a technical and organizational perspective, companies are asked to consider the following:

1. Nature of data processing
2. Scope of data processing
3. Context of data processing
4. Purpose of data processing
5. Risks of likelihood or severity to the person’s rights and freedoms

Furthermore, the measures adopted by companies must be reviewed and regularly updated. 

Read our post on Article 24 GDPR for a more detailed summary of the GDPR regulation regarding the responsibility of controllers.

Article 25 GDPR – Data Protection By Design And By Default

Companies are required to incorporate principles like data minimization and measures like pseudonymization designed to protect personal data.

Such principles should be implemented:

1. When the company determines the personal data processing means
2. At the time of personal data processing

To determine the most appropriate technical and organizational measure suitable to implement data minimization measures, an organization should take into consideration:

1. The state of the art
2. Cost of implementation
3. Nature of processing
4. Scope of processing
5. Context of processing
6. Purpose of processing
7. Risks to data subjects

Read our post on Article 25 GDPR for a more detailed summary of the GDPR regulation regarding data protection by design and by default.

Article 26 GDPR – Joint Controllers

Joint controllers must:

1. Clearly inform the data subject as to their respective processing activities
2. How a person can exercise their rights under GDPR
3. Each of the joint controller’s duties with respect to the information they will each need to provide the data subject about their data collection and processing 
4. Each of the joint controller’s duties with respect to the information they collect from other sources 

The joint data controllers can also agree to appoint one point of contact for individuals and data subjects to communicate.

Read our post on Article 26 GDPR for a more detailed summary of the GDPR regulation regarding joint controllers.

Article 27 GDPR – Representatives of Controllers or Processors Not Established In The Union

When a foreign company outside of the European Union processes personal data of individuals located in the European Union related to the offering of goods and services or if they are monitoring the behaviour as far as it relates to their behaviour in the EU, then they must designate a representative in the Europen Union.

Here are some exceptions:

1. When the data processing activity is only occasional
2. Does not include, on a large scale, the processing of special categories of personal data 
3. Does not include, on a large scale, the processing of personal data relating to criminal convictions and offences
4. The data processing does not result in any likely risk to the individual’s rights and freedoms considering the nature, context, scope and purpose of the data processing.

Read our post on Article 27 GDPR for a more detailed summary of the GDPR regulation regarding the obligation to designate a representative if a controller or processor is not established in the EU.

Article 28 GDPR – Processor

GDPR requires that data controllers mandatorily enter into a contract with data processors outlining the following:

1. Purpose of data processing
2. Duration of data processing
3. Nature of data processing
4. Type of personal data processed
5. Categories of data subjects affected
6. Rights and obligations of the data controller

The contract must further stipulate the following:

1. Data processing should only be done based on documented instructions from the data controller
2. Data processor will only allow persons subject to confidentiality provisions to access personal data
3. Data processor to implement technical and organizational security measures to protect and safeguard the personal data
4. Data processor will not engage other data processors without the prior consent of the data controller
5. If the data processor must hire a sub-processor, the data processor must flow-through its obligations in such a way that the processor’s obligations can be enforced on the sub-processor
6. Assist the data controller to respond to a request made by data subjects
7. Assist the controller to help controller comply with its data security, breach notification to the supervisory authority, breach communication to data subjects, perform a data protection impact assessment and perform any prior consultations with the supervisory authorities
8. Based on the data controller’s choice, delete or return personal data
9. Provide the data controller with any information demonstrating the data processor’s compliance with GDPR

Read our post on Article 28 GDPR for a more detailed summary of the GDPR regulation regarding the obligations of a processor.

Article 29 GDPR – Processing Under The Authority of The Controller or Processor

A data processor or any person acting under the authority of the data controller or of the data processor who may have access to personal data can only process the data based on the specific instructions of the data controller.

Read our post on Article 29 GDPR for a more detailed summary of the GDPR regulation regarding the obligation of data processors to remain under the authority of data controllers.

Article 30 GDPR – Records of Processing Activities

Controllers must keep records of their data processing activities and must be able to demonstrate the following:

1. Name and contact details of the controller, joint controllers, their representative and data protection officer 
2. The purpose of the data processing activities 
3. The different categories of personal data along with a description for each 
4. Category of recipients to whom personal data will be shared along with an indication of whether or not they are in third countries or if they are international organizations 
5. Indication if personal data is transferred to third countries along with documentation of suitable safeguards
6. When the personal data will be erased where possible 
7. A description of technical and organizational security measures taken to protect personal data 

Processors must keep records of their data processing activities and must be able to demonstrate the following:

1. Name and contact details of the data processor or processors, their representative, for which data controller they are acting, and data protection officer 
2. The different categories of personal data along with a description for each 
3. Indication if personal data is transferred to third countries along with documentation of suitable safeguards 
4. A description of technical and organizational security measures taken to protect personal data

Read our post on Article 30 GDPR for a more detailed summary of the GDPR regulation regarding the data controller and data processor’s record-keeping obligations.

Article 31 GDPR – Cooperation With The Supervisory Authority

Data controllers, data processors along with their representatives have a duty to cooperate with the relevant supervisory authorities in the performance of their tasks.

Read our post on Article 31 GDPR for a more detailed summary of the GDPR regulation regarding the cooperation obligation of data controllers and data processors with the supervisory authority.

Article 32 GDPR – Security of Processing

Data controllers and data processors should consider the appropriate level of security measures based on:

1. The state of the art in the field of security and technology 
2. The cost of implementation of the appropriate security measures
3. Nature of processing
4. Scope of processing
5. Context of processing
6. Purpose of processing
7. Risk to data subjects

Companies can protect personal data by implementing any of the following measures:

1. Pseudonymisation and encryption of personal data
2. Ensure personal data confidentiality, integrity, availability and resilience of processing systems 
3. Restoration of the data and access to personal data in a timely fashion should there be an incident of any kind 
4. Ongoing testing and evaluation of the effectiveness of the security measures implemented 

Read our post on Article 32 GDPR for a more detailed summary of the GDPR regulation regarding how personal data can be processed in a secure way.

Article 33 GDPR – Notification of A Personal Data Breach To The Supervisory Authority

In the event of a personal data breach, the data controller is required to report the incident as soon as possible to the relevant supervisory authority but no longer than 72 hours after becoming aware of the data breach.

If a company takes longer than 72 hours to report the breach to the supervisory authority, they must also provide justification as to the cause of the delay.

The data controller will not have an obligation to report the data breach incident if the personal data breach is unlikely to pose any risk on the data subject.

Similarly, if a data processor, handling or processing personal data on behalf of the data controller becomes aware of a data breach, it must notify the data controller as soon as possible after becoming aware of the data breach.

Read our post on Article 33 GDPR for a more detailed summary of the GDPR regulation regarding a data breach notification obligation.

Article 34 GDPR – Communication of A Personal Data Breach To The Data Subject

When a company suffers a data breach and where there may be a high level of risk of adverse consequence on the data subjects, in addition to notifying the supervisory authorities, companies must report the same directly to the data subjects concerned.

The controller must notify the data subjects as soon as possible.

The notification should contain:

1. The nature of the data breach 
2. Name and contact details of the data controller’s data protection officer or point of contact 
3. The possible consequences of the data breach
4. What measures have been taken to address the data breach and how is the adverse consequence on data subjects being handled 

Read our post on Article 34 GDPR for a more detailed summary of the GDPR regulation regarding the notification of personal data breach to data subjects.

Article 35 GDPR – Data Protection Impact Assessment

When a company intends to engage in personal data processing activities that may result in a high risk to the data subjects concerned in light of the technologies used, nature, scope, context and purpose of the data processing, a data protection impact assessment must be done before carrying out the data processing.

A data protection impact assessment or DPIA can be with regards to one single type of data processing or a combination of processing operations that may result in a high risk to data subjects.

Read our post on Article 35 GDPR for a more detailed summary of the GDPR regulation regarding the requirement for a data protection impact assessment.

Article 36 GDPR – Prior Consultation

If the following conditions apply, a data controller has an obligation to consult with the supervisory authorities prior to processing any data:

1. A data protection impact assessment was done
2. The assessment shows a high level of risk to data subjects in the absence of any mitigation plans taken by the company

Read our post on Article 36 GDPR for a more detailed summary of the GDPR regulation regarding the requirement to consult with a supervisory authority.

Article 37 GDPR – Designation of The Data Protection Officer

Organizations should designate a data protection officer or DPO in any of the following instances:

1. Data processing is being carried out by a public authority except for the judicial courts 
2. When an organization will require to process data by regularly and systematically monitoring of data subjects, on a large scale, as its core activity 
3. When an organization will want to process special categories of data, on a large scale, and personal data relating to criminal convictions and offences, as its core activity 

Read our post on Article 37 GDPR for a more detailed summary of the GDPR regulation regarding the requirement to designate a data protection officer.

Article 38 GDPR – Position of The Data Protection Officer

The role of the data protection officer is to help organizations protect personal data and comply with GDPR.

As such, organizations must involve their data protection officer with respect to all issues related to the protection of personal data.

Data controllers and data processors are required to:

1. Support the DPO as it performs its duties
2. Provide the DPO with sufficient resources to enable it to perform its tasks
3. Provide the DPO with access to personal data and processing operations
4. Help the DPO maintain his or her expert knowledge 

Read our post on Article 38 GDPR for a more detailed summary of the GDPR regulation regarding the position of the DPO.

Article 39 GDPR – Tasks of The Data Protection Officer

The following represents a set of tasks that GDPR specifically requires of the data protection officer:

1. Advise and educate data controllers, data processors and their employees about how to comply with GDPR 
2. Monitor the organization’s compliance, assess the company’s policies and procedures related to data protection, support the training of employees processing data with their GDPR libations and raise the overall awareness of data protection within the organization 
3. Provide advice should a data protection impact assessment be necessary 
4. Cooperate with the supervisory authority as requested 
5. Act as the point of contact with the supervisory authority

Read our post on Article 39 GDPR for a more detailed summary of the GDPR regulation regarding the tasks of the DPO.

Article 40 GDPR – Codes of Conduct

Considering the obligations of GDPR can be quite onerous for micro, small and medium-sized companies, the regulation invites the supervisory authorities, the Board and the Commission to encourage the implementation of codes of conduct for the application of GDPR in different processing sectors. 

Read our post on Article 40 GDPR for a more detailed summary of the GDPR regulation regarding the drawing up and adherence to codes of conduct.

Article 41 GDPR – Monitoring of Approved Codes of Conduct

GDPR provides the necessary power to the accredited bodies, having a degree of expertise and knowledge with respect to data protection and privacy laws, to monitor those companies having adhered to a code of conduct.

The powers given to these accredited bodies does not affect the powers granted to the supervisory authorities under GDPR.

Read our post on Article 41 GDPR for a more detailed summary of the GDPR regulation regarding the monitoring of approved codes of conduct.

Article 42 GDPR – Certification

Taking into consideration the specific needs of micro, small and medium-sized organizations, the GDPR regulation encourages the European Union member countries, the supervisory authorities, the European Union Data Protection Board and Commission to implement certification mechanisms so companies can demonstrate their compliance with GDPR.

Read our post on Article 42 GDPR for a more detailed summary of the GDPR regulation regarding the certification mechanism.

Article 43 GDPR – Certification Bodies

A body wishing to become an accredited certification body authorized to issue and renew certifications must demonstrate an appropriate level of expertise in the realm of data protection.

The body must inform the competent supervisory authority.

Each European Union country must ensure that the certification bodies are accredited by one or both of the following:

1. Competent supervisory authority 
2. The national accreditation body named in accordance with Regulation (EC) No 765/2008 

Read our post on Article 43 GDPR for a more detailed summary of the GDPR regulation regarding the certification bodies.

Chapter V: Transfers of Personal Data To Third Countries or International Organisations

Article 44 GDPR – General Principle For Transfers

Data controllers and data processors who need to transfer data to third countries must ensure that the processing of personal data provides a level of protection no less restrictive than that outlined in GDPR.

Read our post on Article 44 GDPR for a more detailed summary of the GDPR regulation regarding the general principle relating to the transfer of personal data.

Article 45 GDPR – Transfers On The Basis of An Adequacy Decision

When the Commission determines that a country, a territory within a country or an international organization provides an adequate level of protection to personal data, then data controllers and data processors are authorized to transfer personal data without any specific formalities or specific authorization.

Read our post on Article 45 GDPR for a more detailed summary of the GDPR regulation regarding the transfer of personal data based on an adequacy decision of the Commission.

Article 46 GDPR – Transfers Subject To Appropriate Safeguards

Data controllers and data processors can only transfer personal data to organizations in third countries without an adequacy decision conditional on the fact that:

1. the controller or processor provides an appropriate level of safeguards
2. The data subject rights remain enforceable
3. The data subject legal remedies remain available 

Read our post on Article 46 GDPR for a more detailed summary of the GDPR regulation regarding the transfer of personal data subject to appropriate safeguards.

Article 47 GDPR – Binding Corporate Rules

The supervisory authority is tasked with approving binding corporate rules submitted to it in accordance with the consistency mechanism so long as the following conditions are met:

1. They are legally binding on the organization’s group of undertakings or entities 
2. Provide express rights to individuals with respect to their personal data processing 
3. Comply with the conditions of Article 47(2) GDPR 

Read our post on Article 47 GDPR for a more detailed summary of the GDPR regulation regarding the transfer of personal data based on binding corporate rules.

Article 48 GDPR – Transfers or Disclosures Not Authorised By Union Law

The transfer of data or disclosure of data by a data controller or data processor can only be done if it is based on an international agreement between the EU member state and the third country.

Read our post on Article 48 GDPR for a more detailed summary of the GDPR regulation regarding when transfers are not authorized by the EU law.

Article 49 GDPR – Derogations For Specific Situations

If an organization intends to transfer personal data to a third country not considered to be an adequate country by the Commission or if appropriate safeguards are not offered, then it can only transfer the data based on one the following conditions:

1. The data subject has given his or her explicit consent after being informed of the transfer and associated risks
2. The transfer is necessary for the performance of a contract or pre-contractual measures 
3. The transfer is necessary for the conclusion of a contract or performance of a contract in the interest of the data subject 
4. The transfer is necessary for the interest of the public 
5. The transfer is necessary for the establishment, exercise or defence of a legal claim 
6. The transfer is necessary to protect the vital interest of the data subject or another person 
7. The transfer is made from a register intended to provide information to the public and is open for consultation 

If a data controller or data processor cannot perform a transfer to a country with an adequacy decision or having established an appropriate level of safeguard and none of the conditions of in Article 49(1) apply, then a transfer can only be done in the following scenario:

1. The transfer is not repetitive
2. Affects only a limited number of individuals
3. Is necessary for the legitimate interest of the organization more so than the rights and freedoms of the individuals 
4. The organization has assessed the overall nature of the data transfer
5. The organization considers it has sufficient safeguards in place

In such a case, the transfer can be made and the data controller must inform the supervisory authority.

Read our post on Article 49 GDPR for a more detailed summary of the GDPR regulation regarding the derogations for specific situations to transfer personal data.

Article 50 GDPR – International Cooperation For The Protection of Personal Data

With the global economy and technology allowing personal data to be transferred from one continent to another, GDPR encourages the Commission and the supervisory authorities to develop international cooperation with third countries and international organizations for the sake of data protection.

Read our post on Article 50 GDPR for a more detailed summary of the GDPR regulation regarding the international cooperation for the purpose of personal data protection.

Chapter VI: Independent Supervisory Authorities

Article 51 GDPR – Supervisory Authority

Each EU member country must designate a public and independent body to monitor and enforce the data protection and privacy obligations resulting from GDPR.

Each supervisory authority is tasked with the duty of ensuring the consistent application of the GDPR regulation throughout the EU.

Read our post on Article 51 GDPR for a more detailed summary of the GDPR regulation regarding the establishment of an independent supervisory authority.

Article 52 GDPR – Independence

For the compliance of GDPR to be effective, supervisory authorities must be fully independent when exercising their powers and roles.

Each member of the supervisory authority must:

1. Perform its duties as required under GDPR
2. Should not be influenced either directly or indirectly
3. Must not seek instructions from another body 

Read our post on Article 52 GDPR for a more detailed summary of the GDPR regulation regarding the independence of supervisory authorities.

Article 53 GDPR – General Conditions For The Members of The Supervisory Authority

Each EU member state must appoint its supervisory authority members in a transparent way through their parliament, government, head of state or other independent body.

Each member of the supervisory authority must have the expertise, qualification and skills relating to data protection so they can successfully accomplish their duties.

Read our post on Article 53 GDPR for a more detailed summary of the GDPR regulation regarding the requirements to become a member of the supervisory authority.

Article 54 GDPR – Rules On The Establishment of The Supervisory Authority

When an EU member state establishes its supervisory authority, it must ensure that all of the following requirements are provided for in the law:

1. The actual establishment of the supervisory authority 
2. Eligibility criteria for a member to be appointed
3. Rules related to the appointment of a member of the supervisory authority 
4. Rules related to the term of appointment of a member of the supervisory authority 
5. Rules related to the number of times a member can be reappointed 
6. Conditions related to the obligations of the supervisory members and their staff 

Read our post on Article 54 GDPR for a more detailed summary of the GDPR regulation regarding the rules of the establishment of the supervisory authority.

Article 55 GDPR – Competence

The supervisory authority has the competence to review and monitor data processing activities of public authorities relating to:

1. Processing activities necessary for the compliance of a legal obligation by the data controller
2. When it’s necessary for the interest of the public or in the exercise of an official authority vested in the controller 

Read our post on Article 55 GDPR for a more detailed summary of the GDPR regulation regarding the competence of the supervisory authority.

Article 56 GDPR – Competence of The Lead Supervisory Authority

The supervisory authority of the data controller or data processor’s main establishment will be competent to act as the lead supervisory authority when dealing with cross-border data processing.

Each supervisory authority will have the competence to handle complaints filed with it when:

1. The subject matter relates to an organization in its territory 
2. When data subjects in its territory are substantially affected

Read our post on Article 56 GDPR for a more detailed summary of the GDPR regulation regarding the competence of the lead supervisory authority.

Article 57 GDPR – Tasks

GDPR provides specific details as to the tasks expected to be performed by the supervisory authority of each EU member state.

Read our post on Article 57 GDPR for a more detailed summary of the GDPR regulation regarding the tasks of the supervisory authority.

Article 58 GDPR – Powers

Each supervisory authority will have the following investigative powers:

1. Order data controllers and data processors to provide any required information 
2. Perform data protection audits 
3. Review GDPR certifications 
4. Notify organizations infringing GDPR 
5. Order data controllers and data processors to provide it access to all their personal data 
6. Get access to any premises where data processing equipment may be held 

In addition to its investigative powers, GDPR grants supervisory authorities with the following corrective powers:

1. Issue warnings relating to possible infringement of GDPR
2. Issue reprimands for GDPR infringement 
3. Order companies to comply with an individual’s exercise of his or her rights 
4. Order data processing operations be rendered compliant with GDPR within a defined timeline 
5. Demand the communication of personal data breach incidents 
6. Impose temporary or permanent restrictions on data processing 
7. Order the rectification or erasure of personal data 
8. Withdraw an organization’s certification 
9. Issue administrative finds 
10. Suspend data flow to recipients in third countries

Read our post on Article 58 GDPR for a more detailed summary of the GDPR regulation regarding the powers of the supervisory authority.

Article 59 GDPR – Activity Reports

Each supervisory authority must issue an annual report on its activities.

Read our post on Article 59 GDPR for a more detailed summary of the GDPR regulation regarding the activity reports of the supervisory authority.

Chapter VII: Cooperation And Consistency 

Article 60 GDPR – Cooperation Between The Lead Supervisory Authority And The Other Supervisory Authorities Concerned

The lead supervisory and any other concerned supervisory authority should cooperate in such a way as to reach a consensus on the manner to deal with a data protection matter.

To achieve that goal, they are required to exchange any relevant information with one another to help each other achieve the said consensus.

Read our post on Article 60 GDPR for a more detailed summary of the GDPR regulation regarding the cooperation between the supervisory authorities.

Article 61 GDPR – Mutual Assistance

Supervisory authorities have the obligation of mutual assistance and sharing of information allowing one another to properly implement and apply the measures required by GDPR.

Mutual assistance includes:

1. Information requests
2. Supervisory measures
3. Handling consultations
4. Prior authorizations
5. Doing inspections
6. Performing investigations 

Read our post on Article 61 GDPR for a more detailed summary of the GDPR regulation regarding the mutual assistance of the supervisory authorities.

Article 62 GDPR – Joint Operations of Supervisory Authorities

Supervisory authorities can act jointly with respect to an investigation or to handle a matter.

It’s up to the supervisory authorities to determine when it is appropriate to make a joint effort in handling a matter.

Read our post on Article 62 GDPR for a more detailed summary of the GDPR regulation regarding the joint operations of the supervisory authorities.

Article 63 GDPR – Consistency Mechanism

The supervisory authorities are mandated to cooperate with one another in such a way that the rules and obligations of GDPR are applied consistently throughout the European Union.

Read our post on Article 63 GDPR for a more detailed summary of the GDPR regulation regarding the consistency mechanism of the supervisory authorities.

Article 64 GDPR – Opinion of The Board

In the following instances, when the supervisory authorities submit a draft of their decision, the European Data Protection Board or EDPB must issue an opinion:

1. Relating to the adoption of a list of processing requirements that will need a DPIA 
2. Relating to a draft code of conduct
3. Approval of accreditation criteria of a body 
4. Relating to the determination of standard data protection clauses
5. Regarding the authorization of contractual clauses 
6. Regarding the approval of binding corporate rules 

Read our post on Article 64 GDPR for a more detailed summary of the GDPR regulation regarding instance when the opinion of the European Data Protection Board will be required.

Article 65 GDPR – Dispute Resolution By The Board

In the following cases, the Board has the power to issue binding decisions:

1. When the supervisory authority has raised an objection to the draft decision of a lead supervisory authority or when a lead supervisory authority has rejected a competent supervisory objection 
2. When there are conflicting views with the supervisory authority for the main establishment 
3. When the supervisory authority does not request an opinion of the Board or does not follow the Board’s opinion 

Read our post on Article 65 GDPR for a more detailed summary of the GDPR regulation regarding instance when the binding decisions of the European Data Protection Board.

Article 66 GDPR – Urgency Procedure

When the supervisory authority considers that there is an urgent situation requiring it to take immediate action, it can do so under the urgency procedure by way of derogation from the consistency mechanism.

The supervisory authority adopts an urgent measure in its territory producing legal effects for no longer than 3 months.

Read our post on Article 66 GDPR for a more detailed summary of the GDPR regulation regarding the urgency procedure.

Article 67 GDPR – Exchange of Information

GDPR provides the power to the Commission to adopt an implementing act of general application to clarify the procedure and means the supervisory authorities can exchange information among themselves and between them and the EDPB in a standardized format.

Read our post on Article 67 GDPR for a more detailed summary of the GDPR regulation regarding the exchange of information.

Article 68 GDPR – European Data Protection Board

By virtue of Article 68(1) of GDPR, the European Data Protection Board is established and is given a legal personality.

The EDPB is represented by its Chair.

The EDPB is composed of the head of one supervisory authority in each EU member state and the EDPB Supervisor.

Read our post on Article 68 GDPR for a more detailed summary of the GDPR regulation regarding the European Data Protection Board.

Article 69 GDPR – Independence

The EDPB must exercise its powers under GDPR without the influence of anyone or entity.

Read our post on Article 69 GDPR for a more detailed summary of the GDPR regulation regarding the European Data Protection Board’s independence.

Article 70 GDPR – Tasks of The Board

The ultimate objective of the EDPB is to ensure that the terms of GDPR are applied consistently.

Read our post on Article 70 GDPR for a more detailed summary of the GDPR regulation regarding the tasks of the European Data Protection Board.

Article 71 GDPR – Reports

EDPB must prepare an annual report regarding its operations.

Read our post on Article 71 GDPR for a more detailed summary of the GDPR regulation regarding the annual report of the European Data Protection Board.

Article 72 GDPR – Procedure

The decisions of the European Data Protection Board will be rendered based on a simple majority unless GDPR provides for a specific procedure.

Read our post on Article 72 GDPR for a more detailed summary of the GDPR regulation regarding the procedures of the European Data Protection Board.

Article 73 GDPR – Chair

The European Data Protection Board will elect its Chair and 2 deputy chairs based on a simple majority.

Read our post on Article 73 GDPR for a more detailed summary of the GDPR regulation regarding the Chair of the European Data Protection Board.

Article 74 GDPR – Tasks of The Chair

GDPR imposes the following duties and tasks on the Chair of the EDPB:

1. Call the meetings of the Board and prepare its meeting agenda
2. Notify the Board’s decisions to the lead supervisory authority and concerned supervisory authorities 
3. Ensure the Board performs its duties in a timely fashion particularly with respect to the consistency mechanism

Read our post on Article 74 GDPR for a more detailed summary of the GDPR regulation regarding the tasks of the European Data Protection Board Chair.

Article 75 GDPR – Secretariat

The European Data Protection Supervisor will provide the secretariat.

The secretariat will only operate based on the exclusive demands and instructions of the EDPB Chair.

Read our post on Article 75 GDPR for a more detailed summary of the GDPR regulation regarding the secretariat of the European Data Protection Board.

Article 76 GDPR – Confidentiality

GDPR makes it clear that the EDPB discussions must be confidential and the confidentiality rules must be duly outlined it is rules of procedure.

Read our post on Article 76 GDPR for a more detailed summary of the GDPR regulation regarding the confidentiality rules of the European Data Protection Board.

Chapter VIII: Remedies, Liability And Penalties

Article 77 GDPR – Right To Lodge A Complaint With A Supervisory Authority

GDPR grants the right to every data subject to file a complaint with a supervisory authority for any matters pertaining to GDPR and its possible infringement.

Data subjects can file their complaint with:

1. The supervisory authority of their habitual residence
2. The supervisory authority of their place of work
3. The supervisory authority of the place where the GDPR infringement occurred

Read our post on Article 77 GDPR for a more detailed summary of the GDPR regulation regarding the data subject’s right to file a complaint with a supervisory authority.

Article 78 GDPR – Right To An Effective Judicial Remedy Against A Supervisory Authority

GDPR provides the right to each data subject to seek a judicial remedy in the following situations:

1. When the supervisory authority does not handle a complaint
2. When the supervisory authority does not provide the data subject with the progress or outcome of a complaint within three months

Read our post on Article 78 GDPR for a more detailed summary of the GDPR regulation regarding the data subject’s right to file suit against the decision of a supervisory authority.

Article 79 GDPR – Right To An Effective Judicial Remedy Against A Controller Or Processor

In addition to the data subject’s right to file a complaint with the supervisory authority, GDPR makes it clear that the data subject also has the right to file a legal action before the court when its personal data has been processed in violation of the terms of GDPR.

Read our post on Article 79 GDPR for a more detailed summary of the GDPR regulation regarding the data subject’s right to file suit for GDPR infringement.

Article 80 GDPR – Representation of Data Subjects

GDPR allows data subjects to mandate non-for-profit organizations or associations duly constituted under the laws of an EU member state to:

1. exercise his or her GDPR rights relating to data protection
2. file the necessary complaints on behalf of the data subject
3. Receive compensation on behalf of the data subject

Read our post on Article 80 GDPR for a more detailed summary of the GDPR regulation regarding the data subject’s right to be represented.

Article 81 GDPR – Suspension of Proceedings

When legal action is pending before multiple courts in EU relating to the same subject-matter and concerning the same data processor or data controller, a court may decline jurisdiction if the first court seized of the matter and that based on the laws of that court, the matter can be consolidated in the same legal action.

Read our post on Article 81 GDPR for a more detailed summary of the GDPR regulation regarding the court’s right to suspend proceedings or decline jurisdiction.

Article 82 GDPR – Right To Compensation And Liability

GDPR provides that any person who suffers damages as a result of GDPR infringement is entitled to get compensation for such damages from the data controller or data processor.

GDPR further states that the damages can be material or even non-material.

Data controllers are liable for any damages caused by the processing of personal data under GDPR.

A data processor will be liable for damages when:

1. It has not complied with the processor obligations under GDPR
2. It has processed data outside of the instructions from the data controller
3. It has processed data contrary to lawful instructions from the data controller

A data controller and a data processor can be exempt from any liability under GDPR if they can prove that they were not responsible for the event giving rise to the damage.

Read our post on Article 82 GDPR for a more detailed summary of the GDPR regulation regarding the liability of data controller and data processors.

Article 83 GDPR – General Conditions For Imposing Administrative Fines

GDPR clearly stipulates that the supervisory authorities have the power to:

1. impose administrative fines to punish infringement of the law
2. Impose administrative fines and order corrective measures to comply with the law

Furthermore, GDPR provides the supervisory authorities with guidelines and factors to consider when deciding on the amount of the administrative fine.

The following factors should be considered when imposing an administrative fine:

1. The nature of the infringement
2. The gravity of the infringement 
3. The duration of the infringement 
4. Number of data subjects affected 
5. Level of damage suffered by each data subject
6. The intentional character of the infringement 
7. The level of negligence on the part of the controller or processor
8. Measures taken by the controller or processor to mitigate damages 
9. The degree of responsibility of the data controller and data processor having implemented data protection by design and default measures 
10. The degree of responsibility of the data controller and data processor that have implemented technical and organizational measures to safeguard personal data 
11. Infringement history of the data controller or processor 
12. The level of cooperation with the supervisory authority 
13. The categories of personal data affected
14. Whether the data controller or processor was the one notifying the infringement to the supervisory authority or not 
15. Previous orders of corrective measures on the same subject-matter and how the organization had complied with the past orders 
16. Adherence to approved codes of conduct or not 
17. Adherence to approved certification mechanisms 
18. Any other aggravating factors 
19. Any other mitigating factors 

Read our post on Article 83 GDPR for a more detailed summary of the GDPR regulation regarding the administrative fines that a supervisory authority may issue.

Article 84 GDPR – Penalties

Each EU member state has the possibility to implement and adopt other penalties with respect to infringement matters not subject to an administrative fine under GDPR.

When an EU member country adopts such other penalties, it must ensure that the penalty will be effective, dissuasive and proportionate to the infringement.

Read our post on Article 84 GDPR for a more detailed summary of the GDPR regulation regarding other penalties EU member countries can adopt.

Chapter IX: Provisions Relating To Specific Processing Situations

Article 85 GDPR – Processing And Freedom of Expression And Information

GDPR provides that EU member states should find a balance and reconcile the rights granted to data subjects under GDPR with certain other rights such as:

1. Freedom of expression
2. Freedom of information
3. Journalism purposes
4. Academic purposes 
5. Artistic purposes 
6. Literacy expression 

Read our post on Article 85 GDPR for a more detailed summary of the GDPR regulation regarding the reconciliation of data protection and freedom of expression.

Article 86 GDPR – Processing And Public Access To Official Documents

Personal data in official documents held by the following can be disclosed based on each EU member’s domestic laws:

1. Public authorities
2. Public bodies
3. Private bodies carrying tasks in the public interest

Read our post on Article 86 GDPR for a more detailed summary of the GDPR regulation regarding the reconciliation of data protection and public access of official documents.

Article 87 GDPR – Processing of The National Identification Number

National identification numbers or any other individual identifier of a general application used by an EU member country should only be used based on the appropriate safeguards as provided for by GDPR. 

Read our post on Article 87 GDPR for a more detailed summary of the GDPR regulation regarding the use of national identification numbers.

Article 88 GDPR – Processing In The Context of Employment

GDPR specifies that each EU member country may, by law or through collective agreements, allow for more specific provisions with respect to the processing of personal information in the context of employment.

GDPR specifically identifies the following scenarios:

1. The recruitment process
2. The performance of an employment contract
3. Legal obligations
4. Obligations resulting from a collective agreement
5. Management 
6. Planning and organization of work
7. Work equality
8. Work diversity
9. Health and safety at work
10. Protection of employer property
11. Protection of customer property
12. Employment termination 

Read our post on Article 88 GDPR for a more detailed summary of the GDPR regulation regarding the processing of personal data in the context of employment.

Article 89 GDPR – Safeguards And Derogations Relating To Processing For Archiving Purposes In The Public Interest, Scientific or Historical Research Purposes or Statistical Purposes

In consideration of the appropriate safeguards and the protection data subject rights, personal data can be processed for the following purposes:

1. Archiving purposes in the public interest
2. Scientific purposes
3. Historical purposes
4. Statistical purposes 

Nonetheless, organizations must adopt the following measures:

1. Implement data minimization principles
2. Adopt pseudonymization techniques as much as possible 

Read our post on Article 89 GDPR for a more detailed summary of the GDPR regulation regarding the processing of personal data in the interest of the public, for scientific, historical or statistical purposes.

Article 90 GDPR – Obligations of Secrecy

EU member countries may adopt laws or rules to subject the powers of the supervisory authority to the obligation of professional secrecy that is necessary and proportionate to reconcile the right to data protection and the obligation of secrecy.

Read our post on Article 90 GDPR for a more detailed summary of the GDPR regulation regarding the obligation of secrecy.

Article 91 GDPR – Existing Data Protection Rules of Churches And Religious Associations

If churches, religious associations and communities apply specific rules for the protection of people when GDPR is adopted, those rules can continue to be applied provided they are aligned with GDPR.

Read our post on Article 91 GDPR for a more detailed summary of the GDPR regulation regarding the rules applicable to churches and religious associations.

Chapter X: Delegated Acts And Implementing Acts

Article 92 GDPR – Exercise of The Delegation

The Commission is given the power to delegate acts in accordance with the conditions of Article 92 of GDPR.

The European Parliament and the Council are given the power to revoke delegations of power.

Read our post on Article 92 GDPR for a more detailed summary of the GDPR regulation regarding delegated acts.

Article 93 GDPR – Committee Procedure

GDPR provides that the committee must assist the Commission.

The committee will have the same meaning as in Regulation (EU) No 182/2011.

Read our post on Article 93 GDPR for a more detailed summary of the GDPR regulation regarding the committee procedure.

Chapter XI: Final Provisions

Article 94 GDPR – Repeal of Directive 95/46/EC

Article 94 of GDPR repeals the Directive 95/46/EC effective May 25, 2018.

Read our post on Article 94 GDPR for a more detailed summary of the GDPR regulation regarding the repealing of Directive 95/46/EC.

Article 95 GDPR – Relationship With Directive 2002/58/EC

GDPR will not impose additional obligations on individuals and companies when processing publicly available electronic communications services in public communication networks when they are specifically subject to Directive 2002/58/EC.

Read our post on Article 95 GDPR for a more detailed summary of the GDPR regulation regarding the obligations related to Directive 2002/58/EC.

Article 96 GDPR – Relationship With Previously Concluded Agreements

GDPR clarifies that any international agreements relating to the transfer of personal data to third countries concluded prior to May 24, 2016, will remain in full force and effect until amended, replaced or revoked.

Read our post on Article 96 GDPR for a more detailed summary of the GDPR regulation regarding the impact on previously concluded agreements with third countries.

Article 97 GDPR – Commission Reports

Every four years, the Commission must issue a report on its evaluation and review of GDPR.

The report must be submitted to the European Parliament and the Council and should be publicly available.

Read our post on Article 97 GDPR for a more detailed summary of the GDPR regulation regarding the Commission reports.

Article 98 GDPR – Review of Other Union Legal Acts On Data Protection

GDPR clarifies that the Commission, when appropriate, must provide proposals to amend the European Union acts on data protection with the objective of achieving consistent and uniform protection of individuals.

Read our post on Article 98 GDPR for a more detailed summary of the GDPR regulation regarding the review of other Union acts on data protection.

Article 99 GDPR – Entry Into Force And Application

GDPR shall apply as of May 25, 2018.

Read our post on Article 99 GDPR for a more detailed summary of the GDPR regulation regarding the effective date of GDPR.