General Data Protection Regulation (GDPR) - Document structure


Chapter I - General provisions


Article 1 - Subject-matter and objectives
Subject-matter
Objective of the regulation

Article 2 - Material scope
Positive definition of the material scope

Article 1 - Subject-matter and objectives
Free movement of personal data

Article 2 - Material scope
Negative definition of the material scope
Processing of personal data by the Union institutions, bodies, offices and agencies
Application of Directive 2000/31/EC

Article 3 - Territorial scope
Territorial scope for the EU subjects
Territorial scope for the non-EU subjects
Territorial scope for the place under the law of the Member State

Article 4 - Definition of terms
Personal data
Processing
Restriction of processing
Profiling
Pseudonymization
Filling system
Controller
Processor
Recipient
Third party
Consent
Personal data breach
Genetic data
Biometric data
Data concerning health
Main establishment
Representative
Enterprise
Group of undertakings
Binding corporate rules
Supervisory authority
Supervisory authority concerned
Cross-border processing
Relevant and reasoned objection
Information society service
International organisation


Chapter II - Principles


Article 5 - Principles relating to processing of personal data
Principle of lawfulness, fairness and transparency
Purpose limitation principle
Data minimization principle
Principle of accuracy
Storage limitation principle
Principle of integrity and confidentiality
Principle of accountability

Article 6 - Lawfulness of processing
Consent of a data subject
Performance of a contract
Compliance with a legal obligation
To protect the vital interests of the data subject or of another natural person
Performance of a task carried out in the public interest
Purposes of the legitimate interests pursued by the controller or by a third party
Implementation of the requirements for the processing in terms of the paragraph 1, points c) and e) of the regulation
Basis for the processing referred to in point (c) and (e) of paragraph 1
Processing for a purpose other than that for which the personal data have been collected originally

Article 7 - Conditions for consent
Obligation to demonstrate the consent for processing the personal data
Transparency of the consent for personal data processing
The right to withdraw his or her consent at any time
Assessing the consent given

Article 8 - Conditions applicable to child's consent in relation to information society services
Requirements for the information society services in context of a child
Obligations of the controller on context of the child when processing the personal data
Restrictions in terms of the Article 8, paragraph 1

Article 9 - Processing of special categories of personal data
Prohibition of processing the special categories of personal data
Exclusions from the prohibition of processing the special categories of personal data
Provisions regarding the processing of special categories of personal data in terms of the Article 9, paragraph 2, point h)
Further conditions regarding the processing of genetic data, biometric data or data concerning health

Article 10 - Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences

Article 11 - Processing which does not require identification
Exemption from the obligation to maintain, acquire or process additional information in order to identify the data subject
Reasons for derogating the exercise of the Articles 15 – 20


Chapter III - Rights of the data subject


Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
Measures of the controller in terms of providing the information to data subjects
Facilitating the data subject rights
Providing the information on action taken on a request under Articles 15 to 22 to the data subject
Obligations of the controller in case when the data subject request is unadopted
Rights of the controller in case of the inappropriate requests from the data subject
Additional information claims from the controller
Providing the information in terms of Articles 13 and 14
The right of the Commission to act in terms of the Article 92

Article 13 - Information to be provided where personal data are collected from the data subject
Information provided to the data subject when personal data has been acquired from a data subject
Additional information provided to the data subject when personal data has been acquired from a data subject
Information provided to the data subject when controller intends to further process the personal data for a purpose other than that for which the personal data were collected
Exemption from exercising the paragraphs 1 – 3, Article 13

Article 14 - Information to be provided where personal data have not been obtained from the data subject
Information provided where personal data have not been obtained from the data subject
Some additional information provided where personal data have not been obtained from the data subject
Principles of providing the information in terms of the Article 14, paragraph 1 and 2 of the regulation
Providing the information where the controller intends to process the personal data for a purpose other than that for which the personal data were obtained
Exemptions from application the obligation of the controller to provide information in terms of the Article 14, paragraphs 1 – 4

Article 15 - Right of access by the data subject
Right of the data subject to obtain a confirmation of the personal data processing from the controller
Right to be informed of appropriate safeguards pursuant to Article 46 relating to the transfer
Obligation to provide a copy of the personal data which are being processed
Limitation of the negative implications in context of the other subjects' rights

Article 16 - Right to rectification
Right to rectification

Article 17 - Right to erasure 'right to be forgotten'
Reason for eligibility of the data subject to exercise the right to be forgotten
Obligations of the controller after the right to be forgotten has been applied
Exemptions from the application of Article 17, paragraph 1 and 2

Article 18 - Right to restriction of processing
Restraining the personal data processing
Processing the personal data after the right to restriction of processing has been applied
Information duty of the controller in context of the personal data processing limitation

Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
Information obligation of the controller towards the recipients

Article 20 - Right to data portability
Right of the data subject to personal data portability
Portability of the personal data from one controller to another controller
Limitation of the right to obtain the personal data
Limitation of the negative implications relating to other subjects' rights

Article 21 - Right to object
Right of the data subject to object the processing of personal data
Right of the data subject to object the personal data processing related to the marketing purposes
Prohibition of the personal data processing after the Article 21, paragraph 2 has been applied
Obligation of the controller to inform the data subject about the to object
Application of the right to object using the automated services
Right to object the personal data processing for the purposes of the scientific, historical or statistical reasons

Article 22 - Automated individual decision-making, including profiling
Right not to be subject to a decision based solely on the automated processing
Restrictions in application of the Article 22, paragraph 1
Proceedings of the controller in case of the Article 22, paragraph 2, points a) – c) application
Decisions according to the Article 22, paragraph 2

Article 23 - Restrictions
Restrictions of the scope of rights and obligations settled in the Articles 12 – 22, 34 and 5
Minimum scope of the individual provisions in terms of the Article 23, paragraph 1 of the regulation


Chapter IV - Controller and processor


Article 24 - Responsibility of the controller
Responsibilities of the controller relating to the personal data processing
Implementation of an appropriate data protection policies by the controller
Possibilities of declaring the obligations fulfilment

Article 25 - Data protection by design and by default
Implementation of the appropriate technical and organisational measures
Processing of the personal data “by default”
Approved certification mechanism pursuant to Article 42

Article 26 - Joint controllers
Personal data processing by the joint controllers
Respective roles and relationships of the joint controllers vis-à-vis the data subjects
Exercising the rights of the data subject against each of the controllers

Article 27 - Representatives of controllers or processors not established in the Union
Designating the representative of the controller or processor
Limitation of the obligation laid down in the Article 27, paragraph 1
Designating the place of activity of the controller, that is settled outside the EU
Defining the delegation scope of the controller or processor
Legal instruments of the remedies against the controller or processor

Article 28 - Processor
Guaranties of the processor for implementing the adequate protective measurements
Conditions for engaging the other processor to the data processing
Minimal scope of the contract essentials between the Controller and Processor
Designation of the identical scope of the responsibilities for the other processor
Certification mechanism as referred to in Article 42
Basic Standard contract clauses between the Controller and Processor
Setting the standard contract clauses settled by the Commission
Standard contractual clauses that are settled by the supervisory authority
Contract or any other legal document in terms of the Article 28, paragraphs 3 and 4
Consequences of misconducting the purposes and instruments in the process of personal data processing by the processor

Article 29 - Processing under the authority of the controller or processor
Obligation of the processor to comply with the instructions of the controller

Article 30 - Records of processing activities
Mandatory scope of the processing activities record
A record of all the processing activities categories, that are carried on behalf of a controller
Form of the records according to Article 30, paragraphs 1 and 2
Making the records available to the supervisory authority if needed
Exemption from the obligations listed in the Article 30, paragraph 1 and 2

Article 31 - Cooperation with the supervisory authority
Cooperation with the supervisory authority

Article 32 - Cooperation with the supervisory authority
Implementation of the appropriate technical and organisational measures
Assessing the appropriate level of the security account
Adherence to an approved code of conduct as referred to in Article 40
Ensuring the activities compliance of any natural person, acting under the authority of controller or processor

Article 33 - Notification of a personal data breach to the supervisory authority
Period for declaring the personal data breach
Notification the data breach to the controller
The minimal content of the personal data breach notification
Additional information relating to the personal data breach notification
Documentary measures relating to the personal data breach

Article 34 - Communicating the personal data breach with the data subject
Communication the personal data breach to the data subject
Notification method in context of the Article 34, paragraph 1 of the regulation
Situation where the notification obligation shall not apply
Competencies of the supervisory authority, in relation to the personal data breach notification

Article 35 - Data protection impact assessment
Personal data processing that require the DPIA – general provision
Cooperation between the controller and data protection officer
Processing that requires the obligatory DPIA
List of processing operations which require an obligatory data protection impact assessment
List of the kind of processing operations for which no data protection impact assessment is required
Consistency mechanism referred to in Article 63
Minimal content of the DPIA
Assessing the impact of the processing performed by such controllers or processors
Gathering the opinions of data subjects or their representatives
Situations where the DPIA need not to be done
Situation where the DPIA might be necessary

Article 36 - Prior consultation
Situations that require the prior consultations with the supervisory authority
Competency of the supervisory authority in case of the specific situations
Information provided for the supervisory authority by the controller
Consultations during the legislative process
Supervisory authority consultation relating to social policy and public health policy

Article 37 - Designation of the data protection officer
Compulsory designation of the data protection officer (DPO)
Appointing the Data protection officer by the group of undertakings
Appointing the Data protection officer by the public authority or body
Optional designation of the Data protection officer
Basic requirements for the Data protection officer job position
Appointing the employee to the position of the Data protection officer
Publishing the data of the designated data protection officer

Article 38 - Position of the data protection officer
Responsibility of the controller and processor in context of the Data protection officer
Providing the support for the data protection officer
Organizational status of the Data protection officer
Contacting the Data protection officer
The confidentiality obligation of the Data protection officer
The Data protection officer and it´s other tasks and duties

Article 39 - Tasks of the data protection officer
Responsibility of the data protection officer
Some other tasks of the Data protection officer

Article 40 - Codes of conduct
Support in working out the codes of conduct
Codes of conduct
Implementation of the codes of conduct by those subjects, which are outside the scope of this regulation
Monitoring the compliance of the codes of conduct
Assessment of the code of conduct by the supervisory authority
Registration and publication of the code of conduct
Submitting the code of conduct to the Board
Submitting the code of conduct to the Board
Determination of the general validity of the approved code of conduct
Publication of the generally valid and approved codes of conduct
Collecting publishing all the approved codes of conduct by the Board

Article 41 - Monitoring of approved codes of conduct
Monitoring the compliance with a code of conduct by the designated subject
Basic criteria for an accreditation of a designated subject
Submitting the draft for the accreditation process
Measurements taken in the situations when the code of conduct id breached by the Controller or Processor
Reasons for withdrawal of the accreditation
Scope limitation of the Article 41 in context of the public authorities and bodies

Article 42 - Certification
Supporting the certification mechanisms process
Demonstrating the existence of an appropriate safeguards, provided by the controllers or processors that are not subject to this Regulation pursuant to Article 3
Transparency rules in the certification process
Responsibility of the Controller and Processor relating to the certification process
Common certification and the European Data Protection Seal
Providing the information and access, that are essential for the certification procedure
Validity of the certificate and it´s prolongation
Publication of the certification mechanisms, data protection seals and data protection marks

Article 43 - Certification bodies
Issuing the certification
Accreditation conditions in relation to the certification subjects
Implementation criteria of the certification subjects accreditation process
Validity of the accreditation and it´s prolongation
Information obligation of the certification subjects
Publishing the certification criteria
Revocation of the accreditation
Determination of the certification requirements
Technical specifications for the certification mechanisms, seals and marks


Chapter V - Transfers of personal data to third countries or international organisations


Article 44 - General principle for transfers
Basic conditions for the personal data transfer

Article 45 - Transfers on the basis of an adequacy decision
General conditions for transferring the personal data
Assessment of the adequacy in context of the data protection level
Decision in context of the adequate level of personal data protection
Monitoring activity of the Commission
Derogation, novelization or detention of the Commission decision, in relation to the Article 45, paragraph 3
Consultations with the third country or an international organization
Exemptions in the decision, based on the Article 45, paragraph 5
Information about the adequate level of the protection from the third country or an international organisation
Validity of the decisions based on the Article 25, paragraph 6 of the Directive 95/46/ES

Article 46 - Transfers subject to appropriate safeguards
Personal data transfer in case of the absence of the decision based on the Article 45(3)
Possibilities of setting the appropriate safeguards up
Priority forms and approaches of the appropriate safeguards based on the Article 46, paragraph 1
Application of the consistency mechanism based on the Article 63
Validity of the permissions, that were issued under the Article 26, paragraph 2 of the Directive 95/46/ES

Article 47 - Binding corporate rules
Conditions for accepting the binding corporate rules
Minimal essential content of the binding corporate rules
Exchange of information between the subjects

Article 48 - Transfers or disclosures not authorised by Union law
Mutual legal assistance between the requesting third country and the Union or a Member State

Article 49 - Derogations for specific situations
Conditions for the personal data transfer in case of an appropriate safeguards decision absence
Specifications to the personal data transfer in context of the Article 49, paragraph 1
Exceptions from the personal data transfer rules
Public interest in context of the personal data transfer
The limitation of the special personal data category transfer
Documentation of the assessment and suitable safeguards

Article 50 - International cooperation for the protection of personal data
Activity of the Commission and the supervisory authorities in context of the international support


Chapter VI - Independent supervisory authorities


Article 51 - Supervisory authority
Establishing the supervisory authority
Activity of the supervisory authority
Designating the supervisory authority in order to representation activities at the Board
Notification obligation of the Member State in terms of the Chapter VI

Article 52 - Independence
Independence of the supervisory authority
Independence of the supervisory authority ´s members
Obligation of the supervisory authority members to refrain from any action, that might be incompatible with their duties
Obligation to provide the working conditions for the supervisory authority activities
Conditions for the supervisory authority staff selection
Financial control of the supervisory authority

Article 53 - General conditions for the members of the supervisory authority
Appointing the members of the supervisory authority
Essential requirements for the supervisory authority members
Derogations of the supervisory authority member duties
Recall of the supervisory authority member

Article 54 - Rules on the establishment of the supervisory authority
Determination rules for the supervisory authority members
Professional secrecy commitment of the supervisory authority members and employees

Article 55 - Competence
Competence of the supervisory authority
Exemption from the Article 56 application
Limitation of the competence scope of the supervisory authority

Article 56 - Competence of the lead supervisory authority
Competence of the lead supervisory authority in terms of the Article 60
Right of the supervisory authority right in context pf the submitted complaint
Obligations of the supervisory authority after the receiving of the complaint in terms of the Article 56, paragraph 2
Decision of the lead supervisory authority to handle the case
Decision of the lead supervisory authority to reject the case
The lead supervisory authority in context of the cross-border processing

Article 57 - Tasks
Scope of the supervisory authority on its territory
Facilitation of the complaint's submission process
The free – of -charge principle of performing the supervisory authority tasks
Right of the supervisory authority to demand the services charges

Article 58 - Powers
Investigative powers of the supervisory authority
Corrective powers of the supervisory authority
Authorisation and advisory powers of the supervisory authority
The exercise of powers by the supervisory authority
Right of the supervisory authority to bring infringements of this Regulation to attention of the judicial authorities
Implementation of the additional rights of the supervisory authority

Article 59 - Activity reports
The annual report on the supervisory authority activities


Chapter VII - Cooperation and consistency


Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Cooperation between the lead supervisory authority and the respective supervisory authorities
Cooperation between the supervisory authorities
Communication in case of the relevant information on the matter to the other supervisory authorities concerned
The proceeding of the lead supervisory authority in case of the disagreement with the objection
The proceeding of the lead supervisory authority in case of the acceptance of the objection
The biding nature of the decision for the other supervisory authorities
The notification obligation of the lead supervisory authority in case of the submitted appeal
The notification obligation of the lead supervisory authority in case of the rejection of the submitted appeal
The proceeding of the lead supervisory authority and other supervisory authorities in case of the partial rejection of the submitted appeal
Obligations of the controller (or processor) after the decision has been published
Proceedings in case of the urgent situations
Sharing the information between the lead supervisory authority and the respective supervisory authorities

Article 61 - Mutual assistance
Providing the information and cooperation between the supervisory authorities
An appropriate measures required to reply to a request of another supervisory authority
Requests for an assistance or cooperation
Reasons for refusing a request by the supervisory authority
Information that are provided to the requesting supervisory authority by the requested supervisory authority
The ways of providing the information by the requested supervisory authorities
The basic rules of cooperation between the supervisory authorities
A provisional measure in the territory of the individual Member State in accordance with an Article 55(1)
A specification of the forms and ways of cooperation between the supervisory authorities

Article 62 - Joint operations of supervisory authorities
Joint operations and joint investigation
A competency of the supervisory authorities during the joint operations
The competency of the supervisory authority personal
A responsibility for the activities of the dispatched supervisory authority personal
Reimbursement of the damage, that is caused by the seconding supervisory authority personal
The prohibition of requesting the reimbursement in terms of the Article 62, paragraph 4 of the regulation
A provisional measure adoption in case of an obligation breach according to Article 62, paragraph 2, second sentence

Article 63 - Consistency mechanism
Consistency mechanism

Article 64 - Opinion of the Board
An opinion of the Board
Examination of an appeal by the Board
Issuing an opinion based on the Article 64, paragraphs 1 and 2
Cooperation between the supervisory authorities, Commission and Board
An information obligation of the Chair of the Board
Restriction in the case of adopting the decision by the supervisory authority
An activity of the supervisory activity after receiving the opinion of the Board
An action taken by the respective supervisory authority after the opinion of the Board has been rejected

Article 65 - Dispute resolution by the Board
Reasons for adopting the biding decisions by the Board
Period for adopting the decisions based on the Article 65, paragraph 1
Activity of the Board when the periods, based on the Article 65, has been missed
Restrictions in adopting the decision within the period based on the Article 65, paragraph 2 and 3
A notification responsibility of the Chair of the Board
An activity of the Chair of the Board after the final decision has been accepted

Article 66 - Urgency procedure
Adoption of the provisional measures by the respective supervisory authority
Publication of the urgent opinion or biding decision
Request for an urgent opinion publication
Some exemptions in adopting the urgent opinion or an urgent biding decision

Article 67 - Exchange of information
Right of the Commission to adopt the implementing acts of the general scope

Article 68 - European Data Protection Board
The establishment of the European Data Protection Board
Chair of the Board
Structure of the Board
Designation of the joint representative of the supervisory authorities
Participation of the Commission during the Board sessions
Competency of the European Data Protection Supervisor

Article 69 - Independence
Independence of the Board
Individual provision in context of the independence of the Board

Article 70 - Tasks of the Board
Scope of the Board activities and responsibilities
Determination of the period by the Commission
Publication of the consultations results, opinions and best practices, that are made by the Board
Consultations of the Board with the respective parties

Article 71 - Reports
An annual report of the Board in context of the protection of natural persons during the personal data processing activities in the Union
Scope of the annual report of the Board

Article 72 - Procedure
Procedure in taking the decisions by the Board
Operational arrangements of the Board

Article 73 - Chair
Election of the Chair of the Board
Term of office of the Chair of the Board

Article 74 - Tasks of the Chair
Tasks of the Chair of the Board
Allocation of the tasks to the Chair of the Board and Deputy Chair of the Board

Article 75 - Secretariat
Secretariat
Tasks of the Secretariat of the Board
Personnel of the European Data Protection Supervisor
Cooperation between the Board and European Data Protection Supervisor
Scope of the cooperation between the Board and Secretariat
Responsibility of the Secretariat

Article 76 - Confidentiality
Confidential discussions of the Board
Access to documents of the Board


Chapter VIII - Remedies, liability and penalties


Article 77 - Right to lodge a complaint with a supervisory authority
The competency for submitting the request to the supervisory authority
Information duty of the supervisory authority after the receiving of complaint

Article 78 - Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a supervisory authority
The right to an effective judicial remedy
Local competency of the judicial authorities to proceed in relation to the personal data protection
Forwarding the opinion or decision to the respective judicial authorities

Article 79 - Right to an effective judicial remedy against a controller or processor
Right to an effective judicial remedy
The local competency of the judicial authorities for submitting the proceeding against the controller or processor

Article 80 - Representation of data subjects
Representation of data subjects
Extension of the rights and mandates for the not-for-profit body, organisation or association in the Member States

Article 81 - Suspension of proceedings
Existence of the identical proceedings
Suspension of the proceeding by the court
Individual provision in context of the judicial authorities competence concerning the identical proceedings

Article 82 - Right to compensation and liability
Compensation for the material or non-material damage as a result of an infringement of this Regulation
Special provisions in context of the responsibility for the damage in terms of the Article 82, paragraph 1
Circumstances that are excluding the responsibility of the controller or processor for the damage
Joint liability in context of the personal data processing
Compensation for the damage suffered
Court proceedings related to the exercising the right to receive compensation

Article 83 - General conditions for imposing administrative fines
Basic rules for imposing the administrative fines
Facts and conditions that are influencing the imposition of administrative fines
Principles for imposing the maximum administrative fines
Provisions concerning the administrative fines – up to 10 000 000,- EUR
Provisions concerning the administrative fines – up to 10 000 000,- EUR
Fines for the non-compliance with an order by the supervisory authority as referred to in Article 58(2)
Some other principles for imposing the administrative fines
Competency of the supervisory authority and appropriate procedural safeguards
Application of the sanction mechanism when no administrative fines are imposed

Article 84 - Penalties
Special provisions concerning the other sanction in case of non-compliance with the regulation
A notification obligation of the Member State based on the Article 84, paragraph 1


Chapter IX - Provisions relating to specific processing situations


Article 85 - Processing and freedom of expression and information
Harmonization of the right to the personal data protection with the legal system of the Member State
Personal data processing, carried out for the journalistic purposes or for the purpose of an academic, artistic or literary expression
Notification obligation of the Member State based on the Article 85, paragraph 2

Article 86 - Processing and public access to official documents
Processing and public access to official documents

Article 87 - Processing of the national identification number
Processing of the national identification number

Article 88 - Processing in the context of employment
Principles of personal data processing for the purpose of the employment
Special provisions on personal data processing in context of the group of undertakings
Notification obligation based on the Article 88, paragraph 1

Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Appropriate safeguards related to the rights and freedoms of the data subject
Exemption in personal data processing for scientific, historical or statistical purposes or research
Exemption in personal data processing for an archiving purposes
Restrictions in the exemptions based on the Article 89, paragraph 2 and 3

Article 90 - Obligations of secrecy
Right of the supervisory authorities in terms of the Article 58, paragraph 1, points e) and f)
Notification obligation of the Member State in context of the Article 90, paragraph 1

Article 91 - Existing data protection rules of churches and religious associations
Harmonization of the data protection rules, related to the churches and religious associations
Supervisory authority for the personal data processing in churches and religious associations


Chapter X - Delegated acts and implementing acts


Article 92 - Exercise of the delegation
Right of the Commission to adopt delegated acts
Period for adoption the delegate acts
Subjects entitled to revoke the delegation of power referred to in Article 12(8) and Article 43(8)
Notification of an adoption of the delegated
The delegated act and it´s entering into the force

Article 93 - Committee procedure
Cooperation between the Commission and Committee
Reference to the Article 5 of Regulation (EU) No 182/2011
Reference to the Article 5in connection with Article 8 of Regulation (EU) No. 182/2011


Chapter XI - Final provisions


Article 94 - Repeal of Directive 95/46/EC
Expiry date of the Directive 95/46/EC
Special provisions and references to the Directive 95/46/EC

Article 95 - Relationship with Directive 2002/58/EC
Relationship with Directive 2002/58/EC

Article 96 - Relationship with previously concluded Agreements
Relationship with previously concluded Agreements

Article 97 - Commission reports
Submitting a report on the evaluation and review of this Regulation to the European Parliament and to the Council
Obligations of the Commission in the context of the evaluation and reviewing of this regulation
Right of the Commission to request information from the Member States and supervisory authorities
Procedure of the Commission during the evaluation and reviewing process
Submission of the appropriate amendment proposals

Article 98 - Review of other Union legal acts on data protection
Submitting the amendment legal acts

Article 99 - Entry into force and application
Entry into force of this regulation
Application of this regulation