11 February 2020
The General Data Protection Regulation (GDPR) is comprised of 99 Articles and 173 Recitals.
Below you'll find a summary and brief explanation of each Article of the GDPR, organized by Chapter.
We've strived to explain each Article in the most clear and simple way so you can get a basic understanding of what the Article dictates or demands.
The GDPR:
The GDPR:
The GDPR:
Key definitions include:
All personal data processing must adhere to six principles, which are the responsibility of the data controller:
All personal data processing must occur under one of six lawful bases:
Consent must be:
Here's how magazine New Scientist invites its users to withdraw their consent in its Privacy Policy:
If you need to process the personal data of a child under the age of 16 for "information society services" and you're relying on consent as your lawful basis for doing this, you need the consent of their parent or carer.
You also need to take reasonable steps to make sure it was actually their parent or carer that consented.
Information society service (ISS) broadly means any online service - apps, websites, games, streaming services.
Special categories of personal data include information about a person's:
You may only process special category data under very specific circumstances, including:
Here's how charity Croydon Citizens' Advice Bureau explains its legitimate interest in processing its users' special category data in its Privacy Policy:
You can only process data about people's criminal convictions if:
If your reasons for processing personal information don't require you to actually know whose personal data you're processing, the GDPR doesn't require you to find out.
If you don't know whose personal data you're processing, you should inform the subjects that you don't have enough information to identify them. Articles 15 to 20 won't apply unless the subjects can provide you with extra information that allows you to identify them.
You need to help your users exercise their data rights. As a data controller, you need to provide information about your data processing activities if requested. When you do so, the information must be:
You need to respond to such requests:
You can ask your users for additional information in order to confirm their identity if you have reasonable doubts of the identity of the person making the request..
You can refuse to facilitate your users' data rights or charge a reasonable fee if their requests are manifestly unfounded or excessive.
Here's how the British Library invites its users to exercise their data rights:
Where you've collected personal data from your users, you need to provide information at the time that you collect the data. This includes information about:
This is essentially a requirement that you create a Privacy Policy and draw your users' attention to it when they give you their personal data.
Here's how The Guardian explains its reasons for processing their users' personal data in its Privacy Policy:
Where you've obtained personal data about a person that hasn't been provided to you by that person, you need to provide certain information to them within one month. This includes transparent information about:
This is essentially a requirement that you make your Privacy Policy available to anyone whose personal data you're processing and provide it as soon as possible.
People have a right to request information from data controllers about any of their personal data that the controller is having processed. This includes:
When this information is requested, the controller must provide a copy free of charge.
People have a right to request that data controllers correct any inaccuracies about them in the personal data they've collected. If the data about them is incomplete, they can provide further information so that it can be complete.
People can request that data controllers erase their personal data under certain circumstances, including:
Under certain circumstances, data controllers can refuse to erase data, including:
People can request that data controllers stop processing their personal data in particular ways under certain circumstances, including:
When your users have requested that you rectify or erase their personal data, or that you restrict your processing of their personal data, you must also communicate this to each party that you've shared the data with.
You must also inform the data subject about these recipients, unless it requires a disproportionate effort.
People have the right to request a copy of their personal data that has been provided to a data controller. This data should be provided in a format that allows them to transfer it to another data controller. You should carry out this transfer for them, if possible.
Your users have the right to object to your processing of their data. You can refuse to comply with certain objections if your legitimate interests outweigh the rights of your user. Your users have an absolute right to object to receiving direct marketing, and you cannot refuse to comply with this objection.
If your company makes automated decisions about its users, your users may have grounds to object to this. This includes where those decisions have serious consequences for your users, equivalent to legal effects.
Under certain conditions, you can refuse to comply with this objection, for example:
The EU or Member States of the EU can pass laws that restrict the data rights described at Articles 12-22 and 34. There are several reasons this might be allowed, including:
Any such law must refer to how it deals with certain relevant matters, including:
It's the data controller's responsibility to make sure that processing of personal data is compliant with the GDPR.
The data controller must put in place appropriate data protection measures and safeguards that adhere to privacy principles such as data minimization and purpose limitation. These need to be built into data processing systems by default.
Where two or more data controllers determine jointly how and why to process personal data, they can decide between themselves their respective responsibilities for complying with rules set out in the GDPR.
People can still exercise their data rights against any of the data controllers in this arrangement.
Where a data controller or processor is based outside of the EU, it must normally designate someone to represent them in the EU. This person will be the first point of contact for GDPR-related queries.
This isn't necessary if the data controller or processor is only processing non-special category data occasionally, or is a public body.
Data controllers may only appoint data processors who can demonstrate that they're GDPR-compliant.
A data processor may only appoint other data processors with the written permission of their data controller.
A data processor must inform their data controller of any changes to the processing they've been hired to do.
Data controllers must have a legally binding contract with their data processors. This contract must contain certain clauses relating to GDPR compliance. This contract also applies to any subcontractors hired by the data processors. If the subcontractors fail to carry out their duties under the contract, the data processor will be held liable.
Unless legally obligated to do so, the data processor may not process personal data without the data controller's permission. The data must be processed according to instructions by the controller.
If you're a data controller or data processor, you must keep a record of your data processing activities. This record must contain certain information, including information about:
You don't need to do this if your company employs fewer than 250 people unless:
All data controllers and data processors (i.e. anyone who is subject to the GDPR) must cooperate with supervisory authorities. These are data protection authorities set up in each Member State to enforce the GDPR.
Data controllers and data processors must implement certain security measures. These measures need to be at a level that's appropriate for the risk to the data and should consider the costs of implementation against the risk.
Security measures may include:
If you're a data controller and you suffer a personal data breach, you need to report it to the relevant supervisory authority as soon as possible, providing information about your company, the nature of the breach and its likely consequences.
This needs to take place within 72 hours at the most. Any later, and you explain the reasons for the delay.
Data breaches need to be documented.
When the data breach is unlikely to result in a risk to the data subjects, the breach need not be reported.
Data processors need to inform their data controllers of a breach as soon as possible after it occurs.
If you suffer a high-risk data breach which is likely to have a highly significant impact on your users, you must communicate it to your users directly, without delay.
Using simple language, you must provide your users with information about your company, the nature of the breach and its likely consequences.
You might not have to do this if:
If you're engaging in high-risk data processing using new technologies, you might need to run an assessment to evaluate the potential impact on your users. This will be necessary, for example, if you're:
This assessment should provide information about certain matters, including the nature of the processing you're planning to do and how you've mitigated against the risks involved.
You might need to consult with your users when you're carrying out the assessment. If you have a data protection officer, you should consult with this individual.
You should review your assessment regularly.
If you've carried out a data impact assessment and it looks as though the processing you're planning to do will be particularly high-risk, you'll need to consult with your supervisory authority before proceeding.
You need to provide certain information to your supervisory authority. This includes information about the nature of the processing you're planning to do, and how you've mitigated against the risks involved.
If it looks like the processing you're planning might infringe the GDPR, the supervisory authority must offer advice within eight weeks (fourteen weeks if the processing is particularly complicated).
Under certain conditions, your organization might need to designate a data protection officer. For example, if it's:
One data protection officer might serve several public authorities.
This can be an existing member of staff or a contractor, but they must be a data protection expert.
If you have a data protection officer, you must publish their contact details (such as in your Privacy Policy).
The data protection officer must be involved in all aspects of data protection in your organization. You need to support them and ensure they can access any necessary training.
You must not tell the data protection officer how to carry out their data protection responsibilities. They should report to the highest level of management in your organization. They may do other jobs within your organization, so long as there is no conflict of interest with their duties as data protection officer.
The data protection officer has various responsibilities, including:
EU Member States should encourage certain bodies, such as associations of small or medium-sized enterprises, to draw up codes of conduct which instruct their members on how to comply with the GDPR.
These codes of conduct should include information about things such as:
Such codes of conduct should be submitted to the supervisory authority for approval. The European Commission can decide if a code of conduct has general validity throughout the whole of the EU.
If accredited to do so by a supervisory authority, certain bodies can monitor compliance with codes of conduct. Such a body will need to meet certain criteria, including:
This accreditation body can exclude or suspend organizations who don't comply with the code of conduct, so long as they let the supervisory authority know.
EU Member States, together with various institutions, must encourage voluntary certification schemes. These schemes will allow organizations to demonstrate their GDPR compliance.
These schemes should provide a clear and transparent process by which organizations can earn certificates, seals and marks that verify their good data protection practices. Such awards should only be valid for up to three years, at which point they'll be subject to renewal.
Certificates designed to verify GDPR compliance should only be issued by bodies that are themselves accredited by either the supervisory authority or the European co-operation for Accreditation (EA).
A certification body must fulfill certain requirements, including having:
Supervisory authorities have the ability to revoke the powers of certification bodies.
Anyone transferring personal data from the EU to a third country or an international organization must comply with the conditions set out in Chapter 5 of the GDPR (Articles 44 to 50).
If the European Commission has given approval to a third country's data processing practices, affirming that they are adequate, you can transfer personal data from the EU to this country.
The European Commission will consider certain factors in deciding whether to approve a third country, including:
The European Commission will review its approval of third countries every four years. It will maintain a list of approved third countries.
If a third country isn't approved by the Commission, you can still transfer personal data to that third country from the EU, even without the permission of your supervisory authority - but you need to put certain safeguards in place. Such safeguards include:
You can also transfer personal data from the EU to a non-approved third country if you have certain contractual clauses or provisions, but you'll need permission from your supervisory authority for this.
A company can enact certain rules that will allow it to transfer data to third countries that haven't been approved by the European Commission. Such rules need to be legally binding on anyone who is involved in the data processing operation and must confer rights on the people whose data is being transferred out of the EU.
Binding corporate rules need to specify various information, including:
A supervisory authority can approve a company's rules if they fulfill certain criteria. If its rules are approved by one supervisory authority, a company doesn't need to approach each other supervisory authority in every Member State in which it operates.
If a court in a third country rules that personal data should be transferred out of the EU, this will only be enforceable if there's an international agreement between the third country and the EU or an EU Member State. This is in addition to any of the other allowable circumstances for third country data transfers, as set out between Articles 44-50 of the GDPR.
Under certain circumstances, it's possible to transfer personal data to a non-approved third country, even if you haven't put appropriate safeguards (under Article 45) or binding corporate rules (under Article 46) in place.
This can only happen under certain circumstances, including where:
The European Commission and the supervisory authorities will seek to establish good relations with third countries to help them develop good data protection practices.
EU Member States must provide a supervisory authority. This is a public body which monitors how the GDPR is being applied. The supervisory authorities of different EU Member States must cooperate with one another.
Supervisory authorities take instruction from no-one and must remain completely independent. Their budget should be made public, and their freedom from state interference must not be infringed upon.
Members of supervisory authorities must be appointed by state institutions. They must be suitably qualified and shall only be dismissed under specific conditions.
EU Member States must pass various laws in connection with supervisory authorities. These laws must cover certain things, including:
Members of supervisory authorities are bound by professional confidentiality.
Supervisory bodies must be able and allowed to carry out all the tasks assigned to them by the GDPR - but are not allowed to supervise data processing carried out by courts.
If you're carrying out data processing across borders, the supervisory authority of the EU Member State in which you're based (or do most of your processing activity) will be your lead supervisory authority.
Any complaints or allegations of GDPR infringement will be handled by the supervisory authority of the Member State in which the incident occurred. This may or may not be the lead supervisory authority. If it's not the lead supervisory authority, the relevant supervisory authority must inform the lead supervisory authority about the incident. The lead supervisory authority then has three weeks to decide whether it will deal with the incident itself, or let the reporting supervisory authority handle it.
If you're engaged in cross-border data processing, you'll only be communicating with the lead supervisory authority and no other supervisory authorities are allowed to communicate with you.
A supervisory authority has certain tasks to carry out in its Member State, including:
Supervisory authorities can't charge for their services, except for where a person is making complaints that are manifestly unfounded or excessive.
A supervisory authority has certain powers in its Member States, including:
A supervisory authority must prepare an annual report on its activities, including data about any GDPR infringements it has been made aware of. This report must be made publicly available.
Lead supervisory authorities must try to work together with other supervisory authorities and reach a mutual agreement where possible. Lead supervisory authorities can ask that other supervisory authorities help each other, and must encourage open and transparent sharing of information.
The lead supervisory authority will publish draft decisions where it needs to take action in relation to a complaint or alleged infringement. Other relevant supervisory authorities can then give their opinions on it. They can raise objections and the decision will be adjusted where appropriate.
Supervisory authorities must help each other implement the GDPR. This includes providing each other with all necessary information.
If a supervisory authority asks another for help, they must receive a response within a month at the latest. Such requests can only be refused under very specific circumstances, including:
Sometimes supervisory authorities will need to work together on joint operations. For example, when personal data processing is likely to affect people in more than one EU Member State.
A supervisory authority from one EU Member State can grant some of their powers a supervisory authority from another. Staff who are working in a Member State other than their own are liable for any damage they cause in their host Member State.
The GDPR contains a mechanism for ensuring that it's applied consistently by supervisory authorities across the EU. All supervisory authorities must abide by this consistency mechanism.
The European Data Protection Board (referred to throughout the GDPR as "the Board") is tasked with issuing an opinion where a supervisory authority takes certain actions. These include where a supervisory authority wishes to:
Under some circumstances where there is a disagreement among supervisory authorities about how to implement the GDPR, the European Data Protection Board can make a binding decision about what should happen.
If an emergency arises and there's a significant risk to people's important personal data, a supervisory authority has the power to adopt temporary laws to prevent or mitigate this risk. These laws can only be in place for a maximum period of three months.
The European Commission can pass delegated acts to specify how information is exchanged between supervisory authorities, and between supervisory authorities and the European Data Protection Board. Delegated acts are used to make non-essential changes to existing laws.
The European Data Protection Board is composed of the head of one supervisory authority in each EU Member State, and is represented by its Chair. The European Commission can come to its meetings but isn't allowed to vote.
The European Data Protection Board takes instruction from no-one and must remain completely independent.
The European Data Protection Board has certain tasks which allow it to ensure consistent application of the GDPR, including:
The European Data Protection Board produces an annual report on data protection. This report is publicly available and shall include recommendations, best practices and practical applications for the GDPR.
The European Data Protection Board makes decisions by simple majority vote. It can change its rules or adopt new ones by a two-thirds majority vote.
The European Data Protection Board elects a chair and two deputy chairs by simple majority vote. They serve a maximum of two five year terms.
The Chair of the European Data Protection Board has a number of tasks, including:
The European Data Protection Supervisor provides the European Data Protection Board with a secretariat. The Secretariat works exclusively under the instruction of the Chair of the European Data Protection Board. The Secretariat helps provide administrative support to the Board, and is responsible for:
Discussions of the European Data Protection Board are confidential where appropriate. Some of the documents submitted to the Board are available to the public under certain conditions.
Individuals have the right to lodge a complaint with a supervisory authority. The supervisory authority must keep them informed about the progress of their complaint.
Individuals have the right to take a supervisory authority to court to seek remedies against the authority's decision concerning them. The court will be in whichever EU Member State the supervisory authority is based. An individual might take a supervisory authority to court if it doesn't handle the individual's complaint properly.
Individuals have the right to take a data controller or processor to court if the individual feels his rights have been infringed upon due to non-compliance with the GDPR. The court can be either in whichever EU Member State the data controller or processor is based or the EU Member State in which the individual is based.
When an individual brings a court case against a supervisory authority, data controller or processor, they have the right to be supported by a not-for-profit organization. This organization should be involved in data protection and have objectives that serve the public interest.
EU Member States must also allow this organization to lodge complaints with supervisory authorities on behalf of individuals.
If a Member State court is dealing with a case brought against a data controller or processor and becomes aware that in a different EU Member State, another related case is pending against the same data controller or processor, the first court should contact the second court to confirm this. The second court can then suspend proceedings.
Anyone who has been damaged by an infringement of the GDPR has a right to receive financial compensation from the infringing data controller or processor.
Data controllers who are involved in data processing are responsible for any damage they cause by infringing the GDPR.
Data processors are only responsible for the damage they cause by:
Supervisory authorities can fine data controllers and processors for infringing the GDPR. These fines are designed in part to serve as a deterrent.
The supervisory authority takes several factors into account when deciding whether to impose a fine, and how much a fine should be. These factors include:
Some infringements attract a fine of a maximum of 10 million euros or 2 percent of a company's annual worldwide turnover - whichever is higher. Examples of such infringements include:
Other infringements attract a fine of a maximum of 20 million euros or 4 percent of a company's annual worldwide turnover - whichever is higher. Examples of such infringements include:
In addition to the fines set out in the GDPR, EU Member States must implement a separate system of penalties to deter infringement of the GDPR.
EU Member States have to strike a balance between data protection and freedom of expression. This means providing exceptions to certain parts of the GDPR for certain activities of journalists, artists, academics and writers. Member States need to inform the European Commission about such exceptions.
Where personal data forms part of an official document used to carry out a task in the public interest, this personal data might be made available to the general public.
EU Member States can make their own rules when it comes to national identification numbers. However, the national identification number can only be used under appropriate data protection conditions.
EU Member States can make additional rules to protect workers' rights around their personal data. Such rules might relate to a range of issues, including:
Processing for certain purposes is subject to special safeguards such as pseudonymization and data minimization. These purposes are: archiving in the public interest, scientific or historical research, and statistical purposes.
EU Member States can make exceptions to certain data rights when it comes to personal data processing for the purposes above.
Sometimes data controllers and processors will obtain personal data that they are obligated to keep confidential. EU Member States can make additional rules when it comes to the power of the supervisory authority to access personal data from data controllers and processors in these circumstances.
Some churches and religious groups have their own rules on processing personal data. They can keep these rules, so long as they're GDPR-compliant.
The GDPR gives the European Commission the power to pass particular delegated acts. Delegated acts are used to make non-essential changes to existing laws. The European Council and Parliament can revoke this power at any time.
The European Commission will be assisted by a committee to help it with implementing the GDPR.
The GDPR replaces an older EU law known as Data Protection Directive. This directive is no longer good law as of May 25, 2018, and any references made to it are now considered to be references to the GDPR.
Another EU law, known as the ePrivacy Directive, set out some rules regarding the protection of personal data in public communications networks. The GDPR doesn't create any further obligations on individuals in addition to those set out in this older directive.
Some EU Member States are party to international agreements regarding personal data transfer to third countries. So long as these were concluded before 24 May 2016, they are still in force.
The European Commission will prepare a report every four years, starting in 2020. This report will be publicly available. The report will focus in particular on issues concerning third country data transfers, cooperation, and consistency. It may contain information that's been requested from supervisory authorities, and give the views of other EU institutions.
The Commission may suggest amending the GDPR in light of this report.
The European Commission may suggest amendments to other EU data laws.
The GDPR applies from 25 May 2018.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.