GDPR - Articles Categorization

    

GDPR is structured in a hierarchal manner, with Chapters containing Articles, which in turn divided into Sections. In GDPR each chapter deals with a broad topic and it is further divided into articles, where articles are the main units of GDPR and each addresses a specific point or rule, further they are sub-divided into sections and they provide additional details or clarifications on the points made in the articles.

This structure helps to organize the complex information and regulations contained within GDPR.

Chapter I – General provisions

Article 1: Subject-matter and objectives 

Article 2: Material scope 

Article 3: Territorial scope 

Article 4: Definitions 

Chapter II – Principles 

Article 5: Principles relating to processing of personal data 

Article 6: Lawfulness of processing 

Article 7: Conditions for consent 

Article 8: Conditions applicable to child’s consent in relation to information society services 

Article 9: Processing of special categories of personal data 

Article 10: Processing of personal data relating to criminal convictions and offences 

Article 11: Processing which does not require identification 

Chapter III – Rights of the data subject

Section 1 - Transparency and modalities 

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject 

Section 2 - Information and access to personal data 

Article 13: Information to be provided where personal data are collected from the data subject 

Article 14: Information to be provided where personal data have not been obtained from the data subject 

Article 15: Right of access by the data subject 

Section 3 - Rectification and erasure 

Article 16: Right to rectification 

Article 17: Right to erasure (‘right to be forgotten’) 

Article 18: Right to restriction of processing 

Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing 

Article 20: Right to data portability 

Section 4 - Right to object and automated individual decision-making 

Article 21: Right to object 

Article 22: Automated individual decision-making, including profiling 

Section 5 - Restrictions 

Article 23: Restrictions 

Chapter IV – Controller and processor 

Section 1 - General obligations 

Article 24: Responsibility of the controller 

Article 25: Data protection by design and by default 

Article 26: Joint controllers 

Article 27: Representatives of controllers or processors not established in the Union 

Article 28: Processor 

Article 29: Processing under the authority of the controller or processor 

Article 30: Records of processing activities 

Article 31: Cooperation with the supervisory authority

Section 2 - Security of personal data 

Article 32: Security of processing 

Article 33: Notification of a personal data breach to the supervisory authority 

Article 34: Communication of a personal data breach to the data subject 

Section 3 - Data protection impact assessment and prior consultation 

Article 35: Data protection impact assessment

Article 36: Prior consultation

Section 4 - Data protection officer 

Article 37: Designation of the data protection officer 

Article 38: Position of the data protection officer 

Article 39: Tasks of the data protection officer 

Section 5 - Codes of conduct and certification 

Article 40: Codes of conduct 

Article 41: Monitoring of approved codes of conduct 

Article 42: Certification 

Article 43: Certification bodies 

Chapter V – Transfers of personal data to third countries or international organisations 

Article 44: General principle for transfers 

Article 45: Transfers on the basis of an adequacy decision 

Article 46: Transfers subject to appropriate safeguards 

Article 47: Binding corporate rules 

Article 48: Transfers or disclosures not authorised by Union law 

Article 49: Derogations for specific situations 

Article 50: International cooperation for the protection of personal data 

Chapter VI – Independent supervisory authorities 

Section 1 - Independent status 

Article 51: Supervisory authority 

Article 52: Independence 

Article 53: General conditions for the members of the supervisory authority 

Article 54: Rules on the establishment of the supervisory authority 

Section 2 - Competence, tasks and powers 

Article 55: Competence 

Article 56: Competence of the lead supervisory authority 

Article 57: Tasks 

Article 58: Powers 

Article 59: Activity reports 

Chapter VII – Cooperation and consistency 

Section 1 – Cooperation 

Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned 

Article 61: Mutual assistance 

Article 62: Joint operations of supervisory authorities 

Section 2 - Consistency 

Article 63: Consistency mechanism 

Article 64: Opinion of the Board 

Article 65: Dispute resolution by the Board 

Article 66: Urgency procedure 

Article 67: Exchange of information 

Section 3 - European data protection board 

Article 68: European Data Protection Board 

Article 69: Independence 

Article 70: Tasks of the Board 

Article 71: Reports 

Article 72: Procedure 

Article 73: Chair 

Article 74: Tasks of the Chair 

Article 75: Secretariat 

Article 76: Confidentiality

Chapter VIII – Remedies, liability and penalties 

Article 77: Right to lodge a complaint with a supervisory authority 

Article 78: Right to an effective judicial remedy against a supervisory authority 

Article 79: Right to an effective judicial remedy against a controller or processor 

Article 80 Representation of data subjects 

Article 81: Suspension of proceedings 

Article 82: Right to compensation and liability 

Article 83: General conditions for imposing administrative fines 

Article 84: Penalties 

Chapter IX – Provisions relating to specific processing situations 

Article 85: Processing and freedom of expression and information 

Article 86: Processing and public access to official documents 

Article 87: Processing of the national identification number 

Article 88: Processing in the context of employment 

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 

Article 90: Obligations of secrecy

Article 91: Existing data protection rules of churches and religious associations 

Chapter X – Delegated acts and implementing acts 

Article 92: Exercise of the delegation 

Article 93: Committee procedure 

Chapter XI – Final provisions 

Article 94: Repeal of Directive 95/46/EC 

Article 95: Relationship with Directive 2002/58/EC 

Article 96: Relationship with previously concluded Agreements 

Article 97: Commission reports 

Article 98: Review of other Union legal acts on data protection 

Article 99: Entry into force and application

GDPR - Key Issues

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. The GDPR has several key issues that organizations need to be aware of and comply with, such as:

• Consent: Organizations must obtain clear and explicit consent from individuals before collecting, processing, or sharing their personal data. Consent must be freely given, specific, informed, and unambiguous, and individuals must be able to withdraw it at any time.

• Data subject rights: Individuals have various rights regarding their personal data, such as the right to access, rectify, erase, restrict, port, or object to the processing of their data. Organizations must respond to the requests of individuals within a certain time frame and without undue delay.

• Data protection by design and by default: Organizations must implement technical and organizational measures to ensure that data protection principles are embedded in the design and operation of their systems and processes. They must also ensure that only the minimum amount of data necessary for the specific purpose is processed by default.

• Data breach notification: Organizations must report any personal data breach to the relevant supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. They must also notify the affected individuals without undue delay if the breach poses a high risk to them.

• Fines and penalties: Organizations that fail to comply with the GDPR can face severe sanctions, such as administrative fines of up to 20 million euros or 4% of their global annual turnover, whichever is higher. They can also be subject to lawsuits, injunctions, audits, or reputational damage.

           

GDPR - Recitals List

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. GDPR includes a series of recitals that provide context, justification, and interpretation for the various provisions within the regulation. Recitals cover a wide range of topics related to data protection and are not legally binding, but they can be used as a reference by courts and authorities when resolving any ambiguity or dispute over the GDPR.

The recitals of the GDPR are the explanatory notes that accompany the articles of the General Data Protection Regulation (GDPR). There are 173 recitals in the GDPR, covering various topics such as the principles, rights, obligations, and enforcement of data protection. Below is the list of 173 recitals:

1. Data Protection as a Fundamental Right

2. Respect of the Fundamental Rights and Freedoms

3. Directive 95/46/EC Harmonisation

4. Data Protection in Balance with Other Fundamental Rights

5. Cooperation Between Member States to Exchange Personal Data

6. Ensuring a High Level of Data Protection Despite the Increased Exchange of Data

7. The Framework is Based on Control and Certainty

8. Adoption into National Law

9. Different Standards of Protection by the Directive 95/46/EC

10. Harmonised Level of Data Protection Despite National Scope

11. Harmonisation of the Powers and Sanctions

12. Authorization of the European Parliament and the Council

13. Taking Account of Micro, Small and Medium-Sized Enterprises

14. Not Applicable to Legal Persons

15. Technology Neutrality

16. Not Applicable to Activities Regarding National and Common Security

17. Adaptation of Regulation (EC) No 45/2001

18. Not Applicable to Personal or Household Activities

19. Not Applicable to Criminal Prosecution

20. Respecting the Independence of the Judiciary

21. Liability Rules of Intermediary Service Providers Shall Remain Unaffected

22. Processing by an Establishment

23. Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted

24. Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled

25. Applicable to Controllers Due to International Law

26. Not Applicable to Anonymous Data

27. Not Applicable to Data of Deceased Persons

28. Introduction of Pseudonymisation

29. Pseudonymisation at the Same Controller

30. Online Identifiers for Profiling and Identification

31. Not Applicable to Public Authorities in Connection with Their Official Tasks

32. Conditions for Consent

33. Consent to Certain Areas of Scientific Research

34. Genetic Data

35. Health Data

36. Determination of the Main Establishment

37. Group of undertakings

38. Special Protection of Children's Personal Data

39. Principles of Data Processing

40. Lawfulness of Data Processing

41. Legal Basis or Legislative Measures

42. Burden of Proof and Requirements for Consent

43. Freely Given Consent

44. Performance of a Contract

45. Fulfillment of Legal Obligations

46. Vital Interests of the Data Subject

47. Overriding Legitimate Interest

48. Overriding Legitimate Interest Within Group of Undertakings

49. Network and Information Security as Overriding Legitimate Interest

50. Further Processing of Personal Data

51. Protecting Sensitive Personal Data

52. Exceptions to the Prohibition on Processing Special Categories of Personal Data

53. Processing of Sensitive Data in Health and Social Sector

54. Processing of Sensitive Data in Public Health Sector

55. Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities

56. Processing Personal Data on People's Political Opinions by Parties

57. Additional Data for Identification Purposes

58. The Principle of Transparency

59. Procedures for the Exercise of the Rights of the Data Subjects

60. Information Obligation

61. Time of Information

62. Exceptions to the Obligation to Provide Information

63. Right of Access

64. Identity Verification

65. Right of Rectification and Erasure

66. Right to be Forgotten

67. Restriction of Processing

68. Right of Data Portability

69. Right to Object

70. Right to Object to Direct Marketing

71. Profiling

72. Guidance of the European Data Protection Board Regarding Profiling

73. Restrictions of Rights and Principles

74. Responsibility and Liability of the Controller

75. Risks to the Rights and Freedoms of Natural Persons

76. Risk Assessment

77. Risk Assessment Guidelines

78. Appropriate Technical and Organisational Measures

79. Allocation of the Responsibilities

80. Designation of a Representative

81. The Use of Processors

82. Record of Processing Activities

83. Security of Processing

84. Risk Evaluation and Impact Assessment

85. Notification Obligation of Breaches to the Supervisory Authority

86. Notification of Data Subjects in Case of Data Breaches

87. Promptness of Reporting / Notification

88. Format and Procedures of the Notification

89. Elimination of the General Reporting Requirement

90. Data Protection Impact Assessement

91. Necessity of a Data Protection Impact Assessment

92. Broader Data Protection Impact Assessment

93. Data Protection Impact Assessment at Authorities

94. Consultation of the Supervisory Authority

95. Support by the Processor

96. Consultation of the Supervisory Authority in the Course of a Legislative Process

97. Data Protection Officer

98. Preparation of Codes of Conduct by Organisations and Associations

99. Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct

100. Certification

101. General Principles for International Data Transfers

102. International Agreements for an Appropriate Level of Data Protection

103. Appropriate Level of Data Protection Based on an Adequacy Decision

104. Criteria for an Adequacy Decision

105. Consideration of International Agreements for an Adequacy Decision

106. Monitoring and Periodic Review of the Level of Data Protection

107. Amendment, Revocation and Suspension of Adequacy Decisions

108. Appropriate Safeguards

109. Standard Data Protection Clauses

110. Binding Corporate Rules

111. Exceptions for Certain Cases of International Transfers

112. Data Transfers due to Important Reasons of Public Interest

113. Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects

114. Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision

115. Rules in Third Countries Contrary to the Regulation

116. Cooperation Among Supervisory Authorities

117. Establishment of Supervisory Authorities

118. Monitoring of the Supervisory Authorities

119. Organisation of Several Supervisory Authorities of a Member State

120. Features of Supervisory Authorities

121. Independence of the Supervisory Authorities

122. Responsibility of the Supervisory Authorities

123. Cooperation of the Supervisory Authorities with Each Other and with the Commission

124. Lead Authority Regarding Processing in Several Member States

125. Competences of the Lead Authority

126. Joint Decisions

127. Information of the Supervisory Authority Regarding Local Processing

128. Responsibility Regarding Processing in the Public Interest

129. Tasks and Powers of the Supervisory Authorities

130. Consideration of the Authority with which the Complaint has been Lodged

131. Attempt of an Amicable Settlement

132. Awareness-Raising Activities and Specific Measures

133. Mutual Assistance and Provisional Measures

134. Participation in Joint Operations

135. Consistency Mechanism

136. Binding Decisions and Opinions of the Board

137. Provisional Measures

138. Urgency Procedure

139. European Data Protection Board

140. Secretariat and Staff of the Board

141. Right to Lodge a Complaint

142. The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association

143. Judicial Remedies

144. Related Proceedings

145. Choice of Venue

146. Indemnity

147. Jurisdiction

148. Penalties

149. Penalties for Infringements of National Rules

150. Administrative Fines

151. Administrative Fines in Denmark and Estonia

152. Power of Sanction of the Member States

153. Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression

154. Principle of Public Access to Official Documents

155. Processing in the Employment Context

156. Processing for Archiving, Scientific or Historical Research or Statistical Purposes

157. Information from Registries and Scientific Research

158. Processing for Archiving Purposes

159. Processing for Scientific Research Purposes

160. Processing for Historical Research Purposes

161. Consenting to the Participation in Clinical Trials

162. Processing for Statistical Purposes

163. Production of European and National Statistics

164. Professional or Other Equivalent Secrecy Obligations

165. No Prejudice of the Status of Churches and Religious Associations

166. Delegated Acts of the Commission

167. Implementing Powers of the Commission

168. Implementing Acts on Standard Contractual Clauses

169. Immediately Applicable Implementing Acts

170. Principle of Subsidiarity and Principle of Proportionality

171. Repeal of Directive 95/46/EC and Transitional Provisions

172. Consultation of the European Data Protection Supervisor

173. Relationship to Directive 2002/58/EC

GDPR - Recitals Categorization

The General Data Protection Regulation (GDPR) is the EU law that protects the privacy and data rights of individuals. GDPR includes a series of recitals that provide context, justification, and interpretation for the various provisions within the regulation. Recitals cover a wide range of topics related to data protection and are not legally binding, but they can be used as a reference by courts and authorities when resolving any ambiguity or dispute over the GDPR.

The recitals of the GDPR are the explanatory notes that accompany the articles of the General Data Protection Regulation (GDPR). There are 173 recitals in the GDPR, covering various topics such as the principles, rights, obligations, and enforcement of data protection. Here's a categorization of some key GDPR recitals based on their thematic content:

• Introduction and Purpose (Recitals 1-7): Overview, principles, and objectives of the GDPR.

• Fundamental Principles (Recitals 8-21): Core principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

• Lawful Bases for Processing (Recitals 22-71): Consent, contract performance, legal obligations, vital interests, public task, legitimate interests, and processing of special categories of personal data.

• Data Subject Rights (Recitals 72-99): Rights of data subjects, including access, rectification, erasure, restriction, data portability, and the right to object.

• Specific Processing Contexts (Recitals 100-133): Processing in the employment context, scientific research, archiving, statistical purposes, and public registers.

• Data Protection Impact Assessments (DPIAs) and Data Protection by Design and by Default (Recitals 134-142): Considerations for DPIAs and the integration of data protection into the development of processing activities.

• Data Transfers and International Cooperation (Recitals 143-150): Conditions for international data transfers, including adequacy decisions, standard contractual clauses, and cooperation between supervisory authorities.

• Supervisory Authorities and Consistency (Recitals 151-173): Roles, powers, and cooperation between supervisory authorities, the consistency mechanism, and the one-stop-shop principle.