GDPR - History & Timeline

The General Data Protection Regulation (GDPR) is a significant piece of legislation concerning data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). It also affects businesses outside the EU that offer goods or services to individuals in the EU or monitor their behavior. The GDPR aims to protect the personal data of individuals and give them more control over how their data is used and shared by organizations. The GDPR has several key principles, rights, and obligations that organizations must follow to comply with the law and avoid fines or penalties.

The GDPR was created to replace the 1995 Data Protection Directive, which was adopted at a time when the internet was in its infancy. The Data Protection Directive required each EU country to enact its own data protection laws based on the directive’s principles. However, this resulted in inconsistent and outdated rules across the EU, creating challenges for individuals and businesses alike. The GDPR was designed to harmonize data protection rules across the EU and ensure a consistent level of protection for individuals’ personal data. The GDPR also reflects the changes and challenges brought by new technologies and practices, such as cloud computing, social media, and big data.

The GDPR was adopted by the European Parliament and the Council of the European Union on 14 April 2016, it became effective on 25 May 2018, after a two-year transition period. As an EU regulation (instead of a directive), the GDPR is directly applicable with force of law on its own without the need for national implementation. However, it also provides flexibility for individual member states to modify (derogate from) some of its provisions. The GDPR is considered one of the most important and influential data protection laws in the world, and has inspired many other countries and regions to adopt similar or compatible regulations.

Timeline:

GDPR - Terms & Definitions

The General Data Protection Regulation (GDPR) is a European Union regulation that sets strict standards for the processing and protection of personal data. It grants individuals greater control over their information, requires organizations to be transparent about data practices, and imposes significant fines for non-compliance. The GDPR aims to enhance privacy rights and unify data protection laws across the EU.

The General Data Protection Regulation (GDPR) contains numerous terms and definitions relevant to data protection and privacy. Here are few of those terms (in alphabetical order) mentioned below:

• Automated Decision-Making: The use of algorithms or automated processes to make decisions about individuals. GDPR provides rights for data subjects regarding automated decisions, including the right to human intervention.

• Binding Corporate Rules: These are a set of binding rules that allow multinational companies and organizations to transfer personal data they control from the EU to their affiliates outside the EU (but within the same organization).

• Biometric Data: Refers to personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person. Examples include facial images or dactyloscopic data (fingerprint data).

• Children’s Data: Special protections apply to the processing of personal data of children under the age of 16 (or 13 in some EU member states). Parental consent is required for online services targeting children.

• Consent: It’s any freely given, specific, informed, and unambiguous indication of a data subject’s wishes. Consent signifies agreement to the processing of personal data related to them.

• Cross-Border Data Transfers: GDPR imposes restrictions on transferring personal data outside the EU. Organizations must ensure that data transfers to non-EU countries comply with specific conditions (such as adequacy decisions, standard contractual clauses, or binding corporate rules).

• Data Breach Notification: Organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Data subjects must also be informed if the breach poses a high risk to their rights and freedoms.

• Data Breach Response Plan: A documented plan outlining steps to take in the event of a data breach. It includes communication protocols, containment measures, and reporting procedures.

• Data Concerning Health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

• Data Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. If Union or Member State law determines these purposes and means, the controller may be specified by that law.

• Data Minimization: The principle of collecting and processing only the minimum amount of personal data necessary for a specific purpose. Organizations should avoid excessive data collection.

• Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that this data be transmitted to another data controller.

• Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

• Data Protection Authority (DPA): Another term for supervisory authority. DPAs are responsible for enforcing data protection laws and providing guidance to organizations.

• Data Protection Impact Assessment (DPIA): A systematic assessment of the potential impact of data processing activities on individuals’ privacy. DPIAs help identify and mitigate risks before implementing new processes.

• Data Protection Officer (DPO): An individual or role responsible for ensuring an organization’s compliance with data protection laws, including GDPR. The DPO monitors data processing activities, advises on privacy matters, and acts as a point of contact for data subjects and supervisory authorities.

• Data Retention: Refers to how long personal data is stored by an organization. GDPR requires clear retention policies and limits on data storage.

• Data Subject Consent Management: Organizations must maintain records of consent obtained from data subjects. This includes details about when and how consent was given, the specific purpose, and the right to withdraw consent.

• Data Subject Rights: GDPR grants several rights to data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

• Data Subject: A natural person whose personal data is processed by a data controller or processor.

• Genetic Data: Personal data related to inherited or acquired genetic characteristics of a natural person. This data provides unique information about the individual’s physiology or health and results from analyzing biological samples.

• Joint Controllership: When two or more entities jointly determine the purposes and means of processing personal data. GDPR provides guidelines for their responsibilities and cooperation.

• Legitimate Interests: One of the legal bases for processing personal data under GDPR. Organizations can process data based on their legitimate interests, provided it does not override the rights and freedoms of data subjects.

• One-Stop-Shop: A mechanism that allows organizations with establishments in multiple EU member states to deal with a single supervisory authority (the lead authority) for cross-border data processing.

• Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

• Personal Data: Any information related to an identified or identifiable natural person (the data subject). Identifiable individuals can be directly or indirectly identified using identifiers like names, identification numbers, location data, or online identifiers.

• Principles: Fundamental principles embedded within the GDPR that outline main responsibilities for organizations.

• Privacy by Design and Default: Organizations must integrate data protection principles into their systems and processes from the outset (privacy by design) and ensure that default settings prioritize privacy (privacy by default).

• Privacy Impact Assessment (PIA): A systematic assessment of the potential impact of data processing activities on individuals’ privacy. DPIAs help identify and mitigate risks before implementing new processes.

• Privacy Notice (Privacy Policy): A document that informs data subjects about how their personal data is processed. It outlines the purposes, legal basis, retention periods, and rights related to data processing.

• Privacy Shield: A framework for transferring personal data between the EU and the United States. It ensures that companies comply with EU data protection standards when transferring data across the Atlantic.

• Processing of Personal Data: Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

• Profiling: The automated processing of personal data to evaluate certain aspects of an individual, such as their behavior, preferences, interests, or location. Profiling can be used for targeted advertising, credit scoring, and other purposes.

• Pseudonymization: The process of replacing direct identifiers (such as names or email addresses) with a pseudonym or code. Pseudonymized data can still be linked back to an individual using additional information.

• Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

• Restriction of processing: The process of marking of stored personal data with the aim of limiting their processing in the future.

• Right to Access: Data subjects have the right to obtain confirmation from the data controller whether their personal data is being processed and, if so, access to that data. This right allows individuals to be aware of and verify the lawfulness of data processing.

• Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that this data be transmitted to another data controller.

• Right to Erasure (Right to Be Forgotten): Data subjects have the right to request the erasure of their personal data from an organization’s records under certain conditions. This right allows individuals to have their data deleted when it is no longer necessary or when they withdraw consent.

• Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data held by a data controller. Organizations must promptly rectify any inaccuracies.

• Sensitive Personal Data: Also known as “special categories of personal data,” this includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sexual orientation.

• Supervisory Authority Decisions: DPAs issue decisions and impose fines for GDPR violations. Organizations can appeal these decisions through legal channels.

• Supervisory Authority: National data protection authorities within EU member states responsible for enforcing data protection laws and monitoring compliance. Examples include the Information Commissioner’s Office (ICO) in the UK and the CNIL in France.

• Third-Party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

GDPR - Articles Categorization

    

GDPR is structured in a hierarchal manner, with Chapters containing Articles, which in turn divided into Sections. In GDPR each chapter deals with a broad topic and it is further divided into articles, where articles are the main units of GDPR and each addresses a specific point or rule, further they are sub-divided into sections and they provide additional details or clarifications on the points made in the articles.

This structure helps to organize the complex information and regulations contained within GDPR.

Chapter I – General provisions

Article 1: Subject-matter and objectives 

Article 2: Material scope 

Article 3: Territorial scope 

Article 4: Definitions 

Chapter II – Principles 

Article 5: Principles relating to processing of personal data 

Article 6: Lawfulness of processing 

Article 7: Conditions for consent 

Article 8: Conditions applicable to child’s consent in relation to information society services 

Article 9: Processing of special categories of personal data 

Article 10: Processing of personal data relating to criminal convictions and offences 

Article 11: Processing which does not require identification 

Chapter III – Rights of the data subject

Section 1 - Transparency and modalities 

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject 

Section 2 - Information and access to personal data 

Article 13: Information to be provided where personal data are collected from the data subject 

Article 14: Information to be provided where personal data have not been obtained from the data subject 

Article 15: Right of access by the data subject 

Section 3 - Rectification and erasure 

Article 16: Right to rectification 

Article 17: Right to erasure (‘right to be forgotten’) 

Article 18: Right to restriction of processing 

Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing 

Article 20: Right to data portability 

Section 4 - Right to object and automated individual decision-making 

Article 21: Right to object 

Article 22: Automated individual decision-making, including profiling 

Section 5 - Restrictions 

Article 23: Restrictions 

Chapter IV – Controller and processor 

Section 1 - General obligations 

Article 24: Responsibility of the controller 

Article 25: Data protection by design and by default 

Article 26: Joint controllers 

Article 27: Representatives of controllers or processors not established in the Union 

Article 28: Processor 

Article 29: Processing under the authority of the controller or processor 

Article 30: Records of processing activities 

Article 31: Cooperation with the supervisory authority

Section 2 - Security of personal data 

Article 32: Security of processing 

Article 33: Notification of a personal data breach to the supervisory authority 

Article 34: Communication of a personal data breach to the data subject 

Section 3 - Data protection impact assessment and prior consultation 

Article 35: Data protection impact assessment

Article 36: Prior consultation

Section 4 - Data protection officer 

Article 37: Designation of the data protection officer 

Article 38: Position of the data protection officer 

Article 39: Tasks of the data protection officer 

Section 5 - Codes of conduct and certification 

Article 40: Codes of conduct 

Article 41: Monitoring of approved codes of conduct 

Article 42: Certification 

Article 43: Certification bodies 

Chapter V – Transfers of personal data to third countries or international organisations 

Article 44: General principle for transfers 

Article 45: Transfers on the basis of an adequacy decision 

Article 46: Transfers subject to appropriate safeguards 

Article 47: Binding corporate rules 

Article 48: Transfers or disclosures not authorised by Union law 

Article 49: Derogations for specific situations 

Article 50: International cooperation for the protection of personal data 

Chapter VI – Independent supervisory authorities 

Section 1 - Independent status 

Article 51: Supervisory authority 

Article 52: Independence 

Article 53: General conditions for the members of the supervisory authority 

Article 54: Rules on the establishment of the supervisory authority 

Section 2 - Competence, tasks and powers 

Article 55: Competence 

Article 56: Competence of the lead supervisory authority 

Article 57: Tasks 

Article 58: Powers 

Article 59: Activity reports 

Chapter VII – Cooperation and consistency 

Section 1 – Cooperation 

Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned 

Article 61: Mutual assistance 

Article 62: Joint operations of supervisory authorities 

Section 2 - Consistency 

Article 63: Consistency mechanism 

Article 64: Opinion of the Board 

Article 65: Dispute resolution by the Board 

Article 66: Urgency procedure 

Article 67: Exchange of information 

Section 3 - European data protection board 

Article 68: European Data Protection Board 

Article 69: Independence 

Article 70: Tasks of the Board 

Article 71: Reports 

Article 72: Procedure 

Article 73: Chair 

Article 74: Tasks of the Chair 

Article 75: Secretariat 

Article 76: Confidentiality

Chapter VIII – Remedies, liability and penalties 

Article 77: Right to lodge a complaint with a supervisory authority 

Article 78: Right to an effective judicial remedy against a supervisory authority 

Article 79: Right to an effective judicial remedy against a controller or processor 

Article 80 Representation of data subjects 

Article 81: Suspension of proceedings 

Article 82: Right to compensation and liability 

Article 83: General conditions for imposing administrative fines 

Article 84: Penalties 

Chapter IX – Provisions relating to specific processing situations 

Article 85: Processing and freedom of expression and information 

Article 86: Processing and public access to official documents 

Article 87: Processing of the national identification number 

Article 88: Processing in the context of employment 

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 

Article 90: Obligations of secrecy

Article 91: Existing data protection rules of churches and religious associations 

Chapter X – Delegated acts and implementing acts 

Article 92: Exercise of the delegation 

Article 93: Committee procedure 

Chapter XI – Final provisions 

Article 94: Repeal of Directive 95/46/EC 

Article 95: Relationship with Directive 2002/58/EC 

Article 96: Relationship with previously concluded Agreements 

Article 97: Commission reports 

Article 98: Review of other Union legal acts on data protection 

Article 99: Entry into force and application

GDPR - Key Issues

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. The GDPR has several key issues that organizations need to be aware of and comply with, such as:

• Consent: Organizations must obtain clear and explicit consent from individuals before collecting, processing, or sharing their personal data. Consent must be freely given, specific, informed, and unambiguous, and individuals must be able to withdraw it at any time.

• Data subject rights: Individuals have various rights regarding their personal data, such as the right to access, rectify, erase, restrict, port, or object to the processing of their data. Organizations must respond to the requests of individuals within a certain time frame and without undue delay.

• Data protection by design and by default: Organizations must implement technical and organizational measures to ensure that data protection principles are embedded in the design and operation of their systems and processes. They must also ensure that only the minimum amount of data necessary for the specific purpose is processed by default.

• Data breach notification: Organizations must report any personal data breach to the relevant supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. They must also notify the affected individuals without undue delay if the breach poses a high risk to them.

• Fines and penalties: Organizations that fail to comply with the GDPR can face severe sanctions, such as administrative fines of up to 20 million euros or 4% of their global annual turnover, whichever is higher. They can also be subject to lawsuits, injunctions, audits, or reputational damage.

           

GDPR - Recitals List

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. GDPR includes a series of recitals that provide context, justification, and interpretation for the various provisions within the regulation. Recitals cover a wide range of topics related to data protection and are not legally binding, but they can be used as a reference by courts and authorities when resolving any ambiguity or dispute over the GDPR.

The recitals of the GDPR are the explanatory notes that accompany the articles of the General Data Protection Regulation (GDPR). There are 173 recitals in the GDPR, covering various topics such as the principles, rights, obligations, and enforcement of data protection. Below is the list of 173 recitals:

1. Data Protection as a Fundamental Right

2. Respect of the Fundamental Rights and Freedoms

3. Directive 95/46/EC Harmonisation

4. Data Protection in Balance with Other Fundamental Rights

5. Cooperation Between Member States to Exchange Personal Data

6. Ensuring a High Level of Data Protection Despite the Increased Exchange of Data

7. The Framework is Based on Control and Certainty

8. Adoption into National Law

9. Different Standards of Protection by the Directive 95/46/EC

10. Harmonised Level of Data Protection Despite National Scope

11. Harmonisation of the Powers and Sanctions

12. Authorization of the European Parliament and the Council

13. Taking Account of Micro, Small and Medium-Sized Enterprises

14. Not Applicable to Legal Persons

15. Technology Neutrality

16. Not Applicable to Activities Regarding National and Common Security

17. Adaptation of Regulation (EC) No 45/2001

18. Not Applicable to Personal or Household Activities

19. Not Applicable to Criminal Prosecution

20. Respecting the Independence of the Judiciary

21. Liability Rules of Intermediary Service Providers Shall Remain Unaffected

22. Processing by an Establishment

23. Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted

24. Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled

25. Applicable to Controllers Due to International Law

26. Not Applicable to Anonymous Data

27. Not Applicable to Data of Deceased Persons

28. Introduction of Pseudonymisation

29. Pseudonymisation at the Same Controller

30. Online Identifiers for Profiling and Identification

31. Not Applicable to Public Authorities in Connection with Their Official Tasks

32. Conditions for Consent

33. Consent to Certain Areas of Scientific Research

34. Genetic Data

35. Health Data

36. Determination of the Main Establishment

37. Group of undertakings

38. Special Protection of Children's Personal Data

39. Principles of Data Processing

40. Lawfulness of Data Processing

41. Legal Basis or Legislative Measures

42. Burden of Proof and Requirements for Consent

43. Freely Given Consent

44. Performance of a Contract

45. Fulfillment of Legal Obligations

46. Vital Interests of the Data Subject

47. Overriding Legitimate Interest

48. Overriding Legitimate Interest Within Group of Undertakings

49. Network and Information Security as Overriding Legitimate Interest

50. Further Processing of Personal Data

51. Protecting Sensitive Personal Data

52. Exceptions to the Prohibition on Processing Special Categories of Personal Data

53. Processing of Sensitive Data in Health and Social Sector

54. Processing of Sensitive Data in Public Health Sector

55. Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities

56. Processing Personal Data on People's Political Opinions by Parties

57. Additional Data for Identification Purposes

58. The Principle of Transparency

59. Procedures for the Exercise of the Rights of the Data Subjects

60. Information Obligation

61. Time of Information

62. Exceptions to the Obligation to Provide Information

63. Right of Access

64. Identity Verification

65. Right of Rectification and Erasure

66. Right to be Forgotten

67. Restriction of Processing

68. Right of Data Portability

69. Right to Object

70. Right to Object to Direct Marketing

71. Profiling

72. Guidance of the European Data Protection Board Regarding Profiling

73. Restrictions of Rights and Principles

74. Responsibility and Liability of the Controller

75. Risks to the Rights and Freedoms of Natural Persons

76. Risk Assessment

77. Risk Assessment Guidelines

78. Appropriate Technical and Organisational Measures

79. Allocation of the Responsibilities

80. Designation of a Representative

81. The Use of Processors

82. Record of Processing Activities

83. Security of Processing

84. Risk Evaluation and Impact Assessment

85. Notification Obligation of Breaches to the Supervisory Authority

86. Notification of Data Subjects in Case of Data Breaches

87. Promptness of Reporting / Notification

88. Format and Procedures of the Notification

89. Elimination of the General Reporting Requirement

90. Data Protection Impact Assessement

91. Necessity of a Data Protection Impact Assessment

92. Broader Data Protection Impact Assessment

93. Data Protection Impact Assessment at Authorities

94. Consultation of the Supervisory Authority

95. Support by the Processor

96. Consultation of the Supervisory Authority in the Course of a Legislative Process

97. Data Protection Officer

98. Preparation of Codes of Conduct by Organisations and Associations

99. Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct

100. Certification

101. General Principles for International Data Transfers

102. International Agreements for an Appropriate Level of Data Protection

103. Appropriate Level of Data Protection Based on an Adequacy Decision

104. Criteria for an Adequacy Decision

105. Consideration of International Agreements for an Adequacy Decision

106. Monitoring and Periodic Review of the Level of Data Protection

107. Amendment, Revocation and Suspension of Adequacy Decisions

108. Appropriate Safeguards

109. Standard Data Protection Clauses

110. Binding Corporate Rules

111. Exceptions for Certain Cases of International Transfers

112. Data Transfers due to Important Reasons of Public Interest

113. Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects

114. Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision

115. Rules in Third Countries Contrary to the Regulation

116. Cooperation Among Supervisory Authorities

117. Establishment of Supervisory Authorities

118. Monitoring of the Supervisory Authorities

119. Organisation of Several Supervisory Authorities of a Member State

120. Features of Supervisory Authorities

121. Independence of the Supervisory Authorities

122. Responsibility of the Supervisory Authorities

123. Cooperation of the Supervisory Authorities with Each Other and with the Commission

124. Lead Authority Regarding Processing in Several Member States

125. Competences of the Lead Authority

126. Joint Decisions

127. Information of the Supervisory Authority Regarding Local Processing

128. Responsibility Regarding Processing in the Public Interest

129. Tasks and Powers of the Supervisory Authorities

130. Consideration of the Authority with which the Complaint has been Lodged

131. Attempt of an Amicable Settlement

132. Awareness-Raising Activities and Specific Measures

133. Mutual Assistance and Provisional Measures

134. Participation in Joint Operations

135. Consistency Mechanism

136. Binding Decisions and Opinions of the Board

137. Provisional Measures

138. Urgency Procedure

139. European Data Protection Board

140. Secretariat and Staff of the Board

141. Right to Lodge a Complaint

142. The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association

143. Judicial Remedies

144. Related Proceedings

145. Choice of Venue

146. Indemnity

147. Jurisdiction

148. Penalties

149. Penalties for Infringements of National Rules

150. Administrative Fines

151. Administrative Fines in Denmark and Estonia

152. Power of Sanction of the Member States

153. Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression

154. Principle of Public Access to Official Documents

155. Processing in the Employment Context

156. Processing for Archiving, Scientific or Historical Research or Statistical Purposes

157. Information from Registries and Scientific Research

158. Processing for Archiving Purposes

159. Processing for Scientific Research Purposes

160. Processing for Historical Research Purposes

161. Consenting to the Participation in Clinical Trials

162. Processing for Statistical Purposes

163. Production of European and National Statistics

164. Professional or Other Equivalent Secrecy Obligations

165. No Prejudice of the Status of Churches and Religious Associations

166. Delegated Acts of the Commission

167. Implementing Powers of the Commission

168. Implementing Acts on Standard Contractual Clauses

169. Immediately Applicable Implementing Acts

170. Principle of Subsidiarity and Principle of Proportionality

171. Repeal of Directive 95/46/EC and Transitional Provisions

172. Consultation of the European Data Protection Supervisor

173. Relationship to Directive 2002/58/EC

GDPR - Recitals Categorization

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. GDPR includes a series of recitals that provide context, justification, and interpretation for the various provisions within the regulation. Recitals cover a wide range of topics related to data protection and are not legally binding, but they can be used as a reference by courts and authorities when resolving any ambiguity or dispute over the GDPR.

The recitals of the GDPR are the explanatory notes that accompany the articles of the General Data Protection Regulation (GDPR). There are 173 recitals in the GDPR, covering various topics such as the principles, rights, obligations, and enforcement of data protection. Here's a categorization of some key GDPR recitals based on their thematic content:

• Introduction and Purpose (Recitals 1-7): Overview, principles, and objectives of the GDPR.

• Fundamental Principles (Recitals 8-21): Core principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

• Lawful Bases for Processing (Recitals 22-71): Consent, contract performance, legal obligations, vital interests, public task, legitimate interests, and processing of special categories of personal data.

• Data Subject Rights (Recitals 72-99): Rights of data subjects, including access, rectification, erasure, restriction, data portability, and the right to object.

• Specific Processing Contexts (Recitals 100-133): Processing in the employment context, scientific research, archiving, statistical purposes, and public registers.

• Data Protection Impact Assessments (DPIAs) and Data Protection by Design and by Default (Recitals 134-142): Considerations for DPIAs and the integration of data protection into the development of processing activities.

• Data Transfers and International Cooperation (Recitals 143-150): Conditions for international data transfers, including adequacy decisions, standard contractual clauses, and cooperation between supervisory authorities.

• Supervisory Authorities and Consistency (Recitals 151-173): Roles, powers, and cooperation between supervisory authorities, the consistency mechanism, and the one-stop-shop principle.