The full text of the GDPR is made up of 99 Articles, arranged into 11 chapters. It's these Articles which we are summarizing here.

In this guide, "you" means the data controller - the person or organization that decides how and why specific data is processed. The "data subject" is the person the personal data is about. The "supervisory authority" is an independent organization in a country that oversees compliance with the GDPR. Other terms with specific definitions under the GDPR are detailed in Article 4.

The text also includes a series of Recitals. These are not strictly part of the regulations but rather act as explanatory notes setting out why the various measures of the GDPR were created. The Recitals could be used to aid interpretation but are not rules in themselves.

Contents

Chapter 1: General Provisions

Chapter 1: General Provisions

Article 1: Subject-matter and Objectives

The GDPR covers the rights of natural persons (humans rather than businesses) regarding personal data. It's not meant to restrict the free movement of personal data.

Article 2: Material Scope

The GDPR covers wholly or largely-automated processing of personal data, or any processing of personal data for a filing system. It doesn't cover individuals processing data for personal activities.

Some processing of data for law enforcement purposes is exempt.

Article 3: Territorial Scope

The GDPR applies if you or your data processor is in the European Union, even if the processing physically takes place outside of the EU.

The GDPR also applies if the processing relates to goods and services offered to somebody in the EU, or monitoring of behavior in the EU, even if you or your data processor is located outside of the EU.

The GDPR also applies if you are subject to the law of a European Union country, even if you aren't in the EU.

Article 4: Definitions

Some terms have a specific meaning in the GDPR.

"Personal data" means any data that relates to an identifiable natural person (a human rather than a company or corporation).

"Processing" of data covers any use of data, including collection, sharing and destruction.

A data "controller" is the person or organization that decides how and why data is processed. (In this guide, "you" refers to the data controller.)

A data "processor" carries out the processing on behalf of the controller.

"Consent" must be clear, specific and unambiguous. It must involve either a statement or a clear action by the person giving consent.

Chapter 2: Principles

Chapter 2: Principles

Article 5: Principles Relating to Processing of Personal Data

This article contains the key rules of the GDPR. It says personal data must be:

  • Processed lawfully, fairly and transparently
  • Collected and used only for a specified, legitimate purpose
  • Limited to the data needed for the specified purpose
  • Accurate and up-to-date
  • Kept only as long as necessary for the specified purpose and then either anonymized or destroyed
  • Kept secure against loss, damage and unauthorized access

You are responsible for following these rules.

Article 6: Lawfulness of Processing

Typically, it's only legal to process data if at least one of these conditions apply:

  • The data subject has given consent
  • The processing is necessary to fulfil a contract
  • The processing is necessary to comply with the law
  • The processing is necessary to protect somebody's "vital interests"
  • The processing is necessary to do something in the public interest
  • The processing is necessary for the "legitimate interests" of the data controller or a third party. This doesn't override the data subject's fundamental rights.

A European Union country can make its own law that adds other conditions that make processing legal.

Article 7: Conditions For Consent

The burden is on you to prove consent.

Requests for consent must be in a clear form using plain language.

The data subject can withdraw consent at any time, but this doesn't have a retrospective effect.

Making consent to data processing a condition of service should only happen if the processing is necessary for that service, otherwise the consent may not be valid.

Article 8: Conditions Applicable to Child's Consent in Relation to Information Society Services

Typically, it's only lawful to process data about a child aged under 16 if a parent or guardian (rather than the child) has given consent and it's for "information society services," meaning an online service with a fee. You must make reasonable efforts to verify the parent or guardian's identity.

Individual counties can lower this age limit, but can never make it lower than 13.

Article 9: Processing of Special Categories of Personal Data

As a general principle, the GDPR bans processing of personal data involving the following:

  • Race or ethnic origin
  • Political, religious and philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data about sexual activity or orientation

Exemptions to this ban include the following:

  • The data subject has explicitly consented (and EU or national law doesn't ban this exemption)
  • The processing is necessary under employment or social security law
  • The data subject is physically or legally unable to give consent and the processing is needed to protect somebody's vital interests
  • The data subject has already made the data public
  • The processing is necessary for medical, public health, the public interests or research, and EU or national law specifically allows this exemption

Individual EU countries can add their own restrictions on processing health, genetic or biometric data.

Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences

Only official authorities (or those specifically authorised by an EU or national law) can process data about criminal convictions and offenses.

Article 11: Processing Which Does Not Require Identification

If you don't need to know the identity of a data subject for processing purposes, the GDPR doesn't oblige you to find out.

Chapter 3: Rights of the Data Subject

Chapter 3: Rights of the Data Subject

Article 12: Transparent Information, Communication and Modalities For the Exercise of the Rights of the Data Subject

You must give data subjects information in clear and concise language. Normally this should be written, either print or electronic. If the data subject asks you can give them information orally as long as you confirm their identity.

Within a month of receiving a data access request you must do one of the following:

  • Provide the data
  • Say why it will take longer to do so, and then provide it within three months of the request
  • Say why you can't provide the data

You can't normally charge to respond to a data access request. If somebody makes excessive or repetitive requests you can charge a reasonable fee or refuse the request, but it's up to you to prove this is justified.

Article 13: Information to be Provided Where Personal Data are Collected From the Data Subject

At the point you collect data you must give the data subject the following details (unless they already have them):

You must also tell the data subject the following:

  • How long you will keep the data, or how you'll decide how long to keep it
  • Their user rights, including:

    • Withdrawing consent
    • Data portability
    • To ask you to correct or delete data
    • To complain to a supervisory authority
  • Whether they are legally or contractually required to provide data
  • Whether and how you use automated decision-making

Article 14: Information to be Provided Where Personal Data Have Not Been Obtained From the Data Subject

If you get personal data from a third party, you must tell the data subject the following:

  • Your identity and contact details
  • Contact details for your data protection officer or representative if applicable
  • The purpose for collecting the data
  • The legal basis for collecting the data
  • The categories of data
  • Who you will share the personal data with
  • Whether you plan to transfer the data to a non-EU country and if so, how you will make sure it is safeguarded
  • How long you will keep the data, or how you'll decide how long to keep it
  • Their user rights, including:

    • Withdrawing consent
    • Data portability
    • To ask you to correct or delete data
    • To complain to a supervisory authority
  • Where you got the data
  • Whether and how you use automated decision-making

You must give these details to the data subject:

  • Within a month of getting the data
  • When you first communicate with the data subject, or
  • When you disclose it to a third party

The above must be done depending on whichever scenario happens first.

Article 15: Right of Access By the Data Subject

The data subject has the right to ask whether you process personal data about them. This is known as the right to access. Under this right, a user can ask:

  • Why you are processing the data
  • What categories of data are involved
  • Who you have disclosed it to or will disclose it to
  • How long you will keep the data, or how you'll decide how long
  • Whether and how you use automated decision-making

When you get such a request, you must also remind the data subject of their rights including:

  • Withdrawing consent
  • Data portability
  • To ask you to correct or delete data
  • To complain to a supervisory authority

The data subject can also ask for a copy of the data itself. The first copy must be free but you can charge a reasonable fee for extra copies. Normally you should provide the data in electronic form.

Article 16: Right to Rectification

Under the right to rectification, if the data subject asks, you must correct any errors in the data without delay, including adding to incomplete information.

Article 17: Right to Erasure ('Right to Be Forgotten')

Under the right to erasure, if the data subject asks, and any of the following apply, you must erase the personal information you hold on that individual:

  • You no longer need the data for the original stated purpose
  • The data subject withdraws consent for the processing
  • The data subject objects to processing
  • You've processed data unlawfully
  • You have to erase the data to comply with a law

If you've made the data public, you must tell anyone using it about the erasure request.

You don't have to follow the request if some legal, public interest or health reasons override it.

Article 18: Right to Restriction of Processing

In the following situations, a data subject can ask that you keep data but stop processing it for a certain period:

  • While you are checking the data subject's claim that the data is inaccurate
  • If the data processing is unlawful but the data subject doesn't want the data deleted
  • If you no longer need to process the data but it may be needed in a legal case
  • While there's a dispute about whether your "legitimate grounds" apply

Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

If you need to correct, erase or restrict the use of personal data, you must tell anyone that you have disclosed the data to.

Article 20: Right to Data Portability

If the data subject consented to data processing and you use automated processing, the data subject has the right to get a copy of the data, to pass it on to someone else, or have you provide it to a third party.

The data should be in a "structured, commonly used and machine-readable format."

Article 21: Right to Object

If your data processing relies on the legal basis of public interest or legitimate grounds, the data subject has the right to object. If they do, you must either stop processing the data or show "compelling legitimate grounds" why your right to process overrides the objection.

If the data subject objects to you processing their data for direct marketing purposes, you must stop immediately.

Article 22: Automated Individual Decision-Making, Including Profiling

The data subject normally has the right not to be affected by fully automated decisions or profiling unless it's necessary under a contract or law.

If automated decision-making is necessary, you should normally give the data subject the right to contest the decision or ask for a human review. You shouldn't normally make automated decisions using sensitive data as listed in Article 9.

Article 23: Restrictions

EU countries can make laws to restrict some of the rights and responsibilities in the GDPR for reasons including >security, defense and law enforcement. These restrictions must be limited by being specific.

Chapter 4: Controller and Processor

Chapter 4: Controller and Processor

Article 24: Responsibility of the Controller

You must be able to show you use technology and organizational measures to comply with the GDPR. Following an approved code of conduct could help.

Article 25: Data Protection By Design and Default

You must design processing systems and procedures to make certain that by default you only collect and use data that's necessary for the stated purpose.

Article 26: Joint Controllers

If you and another organization or organizations both control how data is processed, you must have clear arrangements about who is responsible for complying with which GDPR responsibilities. However, a data subject can still exercise their rights with all of the controllers.

Article 27: Representatives of Controllers or Processors Not Established in the Union

If you're based outside the EU but serve EU citizens, you must list in writing a representative in the EU for GDPR purposes. The representative can be contacted instead of you, or as well as you, for regulatory and compliance reasons.

This doesn't apply if you only process EU citizen data occasionally or if you're a public body.

Article 28: Processor

You can only use a data processor if they guarantee to meet the GDPR's requirements as part of your contract with them. They can only pass work onto another processor with your permission and must have a contract forcing the other processor to meet the GDPR's requirements.

Article 29: Processing Under the Authority of the Controller or Processor

Your data processor can only process the personal data on your instructions or when legally required to do so.

Article 30: Records of Processing Activities

You must keep written (including electronic) records of the data processing for which you are responsible, detailing the following:

  • Contact details for your data protection officer or representative if applicable
  • The purpose of processing
  • The types of data subject and personal data
  • The types of people or organizations you've disclosed data to
  • Whether you've transferred data to a non-EU country and any relevant safeguarding you had in place
  • When you plan to delete data
  • What security measures you've taken

If you use a separate data processor, they must keep similar records.

If you have fewer than 250 employees, only handle EU personal data occasionally, and don't handle personal data as detailed in Article 9, you don't need to keep these records.

Article 31: Cooperation With the Supervisory Authority

You and your data processor must cooperate with a supervisory authority's requests.

Article 32: Security of Processing

You must take necessary security measures appropriate to the level of risk with personal data. This covers risks including unauthorised or accidental disclosure, damage, access and alteration to data.

Example measures include the following:

  • Pseudonymising and encrypting data
  • Backups
  • Security audits

Article 33: Notification of a Personal Data Breach to the Supervisory Authority

You must tell the supervisory authority about data breaches as soon as possible. If it takes more than 72 hours, you must explain the delay.

You must give an outline of the type and scale of data involved and detail the likely consequences and how you will mitigate them.

Your data processor must tell you about any breach as soon as possible.

Article 34: Communication of a Personal Data Breach to the Data Subject

If a breach has a high risk of hurting the data subject's "rights and freedoms" you must tell them as soon as possible, giving the details listed in Article 33. You don't have to do this if the data is encrypted.

With a big breach, you can use a public notice rather than contact people individually.

Article 35: Data Protection Impact Assessment

If a type of processing may involve high risk, you should assess the risk, the potential damage, and ways to mitigate risk. This should be done via a data protection impact assessment. This is particularly important if you do any of the following:

  • Use automated processing
  • Monitor a physical public space
  • Handle sensitive data as detailed in Article 9
  • Handle data about criminal convictions

Article 36: Prior Consultation

If an impact assessment of the type detailed in Article 35 says a type of processing is high risk, you need to check with the supervisory authority to make sure your security measures are adequate before you use that processing method.

Article 37: Designation of the Data Protection Officer

You must designate a data protection officer in any of the following circumstances:

  • You're a public body
  • You monitor people on a large scale
  • You handle sensitive data as detailed in Article 9
  • You handle data about criminal convictions

Your data protection officer should have expert knowledge on data protection law. You can use a staff member or an outside consultant.

Article 38: Position of the Data Protection Officer

You (and your data processor if you have one) must make sure the data protection officer has the resources, information and power to do their job. You can't tell them how to do it, or dismiss them for doing their work.

They can do other tasks for you, but you must make sure there's no conflict of interest with their data protection work.

Article 39: Tasks of the Data Protection Officer

Your data protection officer's work must include:

Article 40: Codes of Conduct

Industry associations for data controllers and processors in a country can draw up a code of conduct and ask the supervisory authority to approve it. Abiding by the code can be used as evidence you are complying with the GDPR's measures. However, it doesn't override the supervisory authority's powers.

Article 41: Monitoring of Approved Codes of Conduct

The supervisory authority can designate another organization to monitor compliance with a code of conduct, as long as there's no conflict of interest.

Article 42: Certification

Countries can set up certification programs to show data controllers and processors have adequate systems and safeguards to comply with the GDPR.

The supervisory authority can designate another organization to operate the certification scheme.

Certificates must be renewed at least every three years.

Article 43: Certification Bodies

The organizations running certification programs must be independent with no conflict of interests. They must have procedures to handle complaints about their certification program.

Chapter 5: Transfers of Personal Data to Third Countries or International Organizations

Chapter 5: Transfers of Personal Data to Third Countries or International Organizations

Article 44: General Principle For Transfers

You can only transfer data to a non-EU country or international organization if you follow all the rules in Chapter 5 (Articles 44-50).

Article 45: Transfers on the Basis of an Adequacy Decision

You can transfer data to a non-EU country or international organization if the EU has formally decided it offers an adequate level of protection to uphold the measures of the GDPR.

Article 46: Transfers Subject to Appropriate Safeguards

You can only transfer data to a non-EU country or international organization that isn't covered by an EU adequacy ruling if you or your processor have suitable safeguards. This could include a law, a contract or a legally binding code of conduct or certification program.

Article 47: Binding Corporate Rules

You can transfer data to a non-EU country or international organization if you have binding corporate rules between you and the recipient.

These rules must cover how the data subject can exercise the same rights they would enjoy under the GDPR. They must be approved by the supervisory authority.

Article 48: Transfers or Disclosures Not Authorized by Union Law

You can transfer data to a non-EU country if that country's law forces you to do so, but only if that country has a relevant legal agreement with the EU or an EU country. This could include a mutual assistance treaty.

Article 49: Derogations For Specific Situations

A few situations exist where you can transfer data to a non-EU country or international organization without meeting any of the usual conditions:

  • The data subject knows the conditions haven't been met but explicitly consents to the transfer
  • A contract between you and the data subject makes the transfer necessary. It can also be a contract between you and another person where the contract is in the data subject's interest.
  • Important public interest
  • The transfer relates to a legal claim
  • The transfer protects the data subject's vital interests and they physically or legally can't consent
  • The data is already part of a publicly-accessible register

Article 50: International Cooperation For the Protection of Personal Data

The European Commission and the various supervisory authorities must work together on ways to uphold the GDPR's measures when dealing with non-EU countries.

Chapter 6: Independent Supervisory Authorities

Chapter 6: Independent Supervisory Authorities

Article 51: Supervisory Authority

Every EU country must have one or more independent supervisory authorities to uphold the GDPR's measures.

The authorities from different countries must work together to make sure the GDPR works consistently across the EU.

Article 52: Independence

Supervisory authorities must act completely independently. Countries must give a supervisory authority adequate resources but allow it to choose its own staff.

Article 53: General Conditions For the Members of the Supervisory Authority

Countries must have a transparent process for appointing members to a supervisory authority.

This could be done by a parliament, government, head of state or independent body. Each member must have suitable skills and experience, particularly in data protection.

They should have a term of office and normally should only leave early if they resign, reach a compulsory retirement age, or engage in serious misconduct.

Article 54: Rules on the Establishment of the Supervisory Authority

Each EU country must have a law setting up the supervisory authority and covering the following key aspects:

  • The criteria to be a suitable member
  • The appointment process
  • The term of office, which must be at least four years
  • Any limit on total terms of office
  • Rules involving conflicts of interest

Members must follow professional secrecy during and after their term of office, particularly regarding individuals reporting a breach of the GDPR.

Article 55: Competence

A supervisory authority must have the ability and power to carry out its work. It doesn't have the power to supervise data processing by courts.

Article 56: Competence of the Lead Supervisory Authority

If you carry out data processing across borders, the supervisory authority in your country is in charge of overseeing compliance.

If a supervisory authority in another country gets a complaint, it will check with the supervisory authority in your country to see who should handle the case.

Article 57: Tasks

Each supervisory authority must carry out a lengthy list of tasks including:

  • Enforcing the GDPR
  • Increasing public awareness about data processing, particular involving children
  • Advising governments
  • Informing data controllers and processors of their responsibilities
  • Handling complaints
  • Overseeing any codes of conduct or certification programs
  • Working with supervisory authorities in other countries

A supervisory authority shouldn't normally charge data subjects or data protection officers for its work.

Article 58: Powers

The supervisory authority's powers fall into three categories:

  • Investigative, including ordering you to provide relevant information and give access to your premises
  • Corrective, including forcing you to change your procedures, to take action to correct a breach, or to pay an administrative fine
  • Authorization, including approving codes of conducts and certification programs

Despite these powers, the supervisory authority is still subject to domestic and EU law.

Article 59: Activity Reports

Each supervisory authority must publish an annual report on its work.

Chapter 7: Cooperation And Consistency

Chapter 7: Cooperation And Consistency

Article 60: Cooperation Between the Lead Supervisory Authority and the Other Supervisory Authorities Concerned

The lead supervisory authority should try to reach consensus with any other relevant supervisory authorities, including in other countries. This includes giving them four weeks to comment on any proposed decision.

Article 61: Mutual Assistance

Supervisory authorities must give help and information to one another. Typically, they can't turn down requests for information or charge a fee to provide it.

Article 62: Joint Operations of Supervisory Authorities

Supervisory authorities must conduct joint operations where relevant, particularly in cases that affect multiple countries. This could involve a supervisory authority extending its powers under domestic law to be used by a supervisory authority in another country.

Article 63: Consistency Mechanism

The European Data Protection Board has rules and procedures known as a "consistency mechanism" to make sure the GDPR applies consistently across the EU. Supervisory authorities must follow these rules.

Article 64: Opinion of the Board

Supervisory authorities must consult the European Data Protection Board before taking key measures including approving codes of conduct or certification programs, and approving contract clauses and binding corporate rules that would allow data transfers to non-EU countries.

The board normally has eight weeks to give its opinion. If the supervisory authority decides to go against this opinion, it must explain why.

Article 65: Dispute Resolution By the Board

If two supervisory authorities disagree how to proceed in a case, the European Data Protection Board can make a binding decision.

Initially, 2/3 of members of the board must agree on a decision. If this doesn't happen within a month, a majority vote is enough, with the Chair breaking a tie.

Article 66: Urgency Procedure

A supervisory authority can act without following the consistency mechanism if this is necessary to urgently "protect the rights and freedoms of data subjects."

When this happens, the authority must immediately inform the European Data Protection Board and the European Commission. This is only allowed if the actions have a purely domestic effect that will last a maximum of three months.

Article 67: Exchange of Information

The European Commission can make rules about how supervisory bodies should exchange information electronically, including using standardised formats.

Article 68: European Union Data Protection Board

The GDPR sets up the European Data Protection Board made up of the head of one supervisory authority from each EU country. If a country has multiple supervisory authorities, its domestic law decides which one is on the board.

The European Data Protection Supervisor is also on the board. They can usually vote, but not on dispute resolutions unless they affect the European Union and its institutions.

A European Commission representative can attend board meetings but can't vote.

Article 69: Independence

The European Data Protection Board must act independently, taking no outside instructions.

Article 70: Tasks of the Board

The European Data Protection Board's main goal is to make sure the GDPR is applied consistently. This can involve the following tasks, among others:

  • Giving opinions on proposed actions
  • Settling disputes between supervisory authorities
  • Giving guidelines for how supervisory authorities act on issues such as profiling, sensitive data, breaches and binding corporate rules
  • Overseeing certification programs in non-EU countries

The European Commission can ask the board for advice on data protection issues.

Article 71: Reports

The European Data Protection Board must publish an annual report about the protection of people's data processing rights in the EU. It should also include details of guidelines it has issued and binding decisions it has made during the year.

Article 72: Procedure

Normally, the European Data Protection Board should make decisions by simple majority vote. It must require a two-thirds majority to change its rules of procedure.

Article 73: Chair

The European Data Protection Board should elect one of its members as chair and two members as deputy chair for a five year term, which can be renewed once.

Article 74: Task of the Chair

The chair is in charge of overseeing meetings, making sure the European Data Protection Board meets deadlines, and telling supervisory authorities the outcome of any dispute resolution.

Article 75: Secretariat

The European Data Protection Supervisor provides staff (a secretariat) to carry out the board's tasks in line with the chair's instructions. This includes day-to-day business, communications and translation.

Article 76: Confidentiality

The European Data Protection Board can make its discussions confidential, subject to the public access rights under Regulation (EC) No 1049/2001 of the European Parliament and Council.

Chapter 8: Remedies, Liability and Penalties

Chapter 8: Remedies, Liability and Penalties

Article 77: Right to Lodge a Complaint With a Supervisory Authority

Any data subject has the right to complain to a supervisory authority if they believe somebody has breached the GDPR while processing their personal data. The supervisor authority must tell them the outcome of the complaint.

Article 78: Right to an Effective Judicial Remedy Against a Supervisory Authority

People have the right to take legal action against a supervisory authority.

This could be to challenge the authority's binding decision, or because the authority hasn't handled a complaint or kept the complainant informed within three months.

The legal action has to be in the courts of the supervisory authority's country.

Article 79: Right to an Effective Judicial Remedy Against a Controller or Processor

Data subjects have the right to take you or a data processor to court if they believe you've breached their rights under the GDPR. Doing so doesn't affect their right to complain to a supervisory authority.

If you or your processor are a public authority, the case has to be brought in your country's courts. Otherwise it can be in your country or the data subject's country.

Article 80: Representation of Data Subjects

Data subjects have the right to tell a non-profit organization to act on their behalf to complain to a supervisory authority or take court action.

Individual EU countries can decide whether such organizations can take such action on a data subject's behalf even without the data subject telling them to.

Article 81: Suspension of Proceedings

If multiple courts end up dealing with the same situation about the same data subject, any court other than the first one to start dealing with it can decide to suspend its proceedings. It can also rule it doesn't have jurisdiction to handle the case.

Article 82: Right to Compensation and Liability

Anyone who suffers damages because of a breach of the GDPR has the right to get compensation from the data controller or processor responsible.

If two organizations (controllers or processors) are responsible, they are both liable for the entire damage. This may mean one pays the compensation in full and then claims back a share from the other organization.

Article 83: General Conditions For Imposing Administrative Fines

Supervisory authorities must make sure fines for breaches are big enough to deter future breaches, but not disproportionate.

Examples of factors affecting the fine amount include the following:

  • The number of data subjects affected
  • Whether the infringement was intentional or negligent
  • Any action taken to mitigate damage
  • Previous breaches by the same organization
  • Whether the organization reported the breach itself
  • Compliance with a code of conduct or certification program

For lesser breaches, the maximum fine is €10,000,000 or two percent of worldwide annual turnover in the previous financial year, whichever is higher. These breaches are largely administrative and include breaches of Articles 8, 11, 25 to 29, 41 and 43.

Some breaches are considered more serious. These include breaches of key principles of processing, data subject rights and international transfer rules found in Articles 5 to 7, 9, 12 to 22, and 44 to 49. This category also covers failing to comply with a supervisory authority order.

These more serious breaches carry a maximum fine of €20,000,000 or four percent of worldwide annual turnover in the previous financial year, whichever is higher.

Article 84: Penalties

Individual EU countries can make rules allowing for penalties other than administrative fines.

Chapter 9: Provisions Relating To Specific Processing Situations

Chapter 9: Provisions Relating To Specific Processing Situations

Article 85: Processing and Freedom of Expression and Information

Individual EU countries can make their own laws to balance the restrictions of the GDPR with the rights to freedom of expression and information. This can include making exceptions for processing made for journalistic, academic, artistic and literary purposes.

Article 86: Processing and Public Access to Official Documents

A public authority (or a private body acting in the public interest) can disclose personal data to comply with a country's laws on public access to official documents.

Article 87: Processing of the National Identification Number

Individual EU countries can make specific rules for processing national identification numbers or equivalent data. This should still include measures to safeguard the data subjects rights under the GDPR.

Article 88: Processing in the Context of Employment

Individual EU countries can make their own laws or rules about processing an employee's personal data in an employment context.

These rules can be more specific than the measures in the GDPR, covering issues such as recruitment, employment contracts, and workplace equality. They can also address how employee data works when multiple businesses have a working relationship.

Article 89: Safeguards and Derogations Relating to Processing For Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes

Both the EU and individual countries can make laws that create exceptions from the GDPR for archives made for public interest, scientific or historical research purposes or statistical purposes.

This is limited to exceptions to the rights in Articles 15, 16, 18 and 21, and is only allowed if the rights would otherwise make the archiving very difficult or impossible.

The laws should still require safeguards such as anonymizing and minimizing data collection.

Article 90: Obligations of Secrecy

Individual EU countries can make special rules to allow for cases of data controllers and processors being under an obligation of secrecy.

Article 91: Existing Data Protection Rules of Churches and Religious Associations

If a country has existing data protection rules for churches and religious associations, these rules can continue as long as they are updated to reflect the GDPR's measures.

Chapter 10: Delegated Acts and Implementing Acts

Chapter 10: Delegated Acts and Implementing Acts

Article 92: Exercise of the Delegation

The European Commission has the right to adopt delegated acts regarding the GDPR. This means making new rules that update the GDPR to react to changing circumstances, without fundamentally changing its core elements.

The European Parliament and Council has three months to review (and potentially reject) delegated acts before they take effect. They can also revoke the Commission's right to adopt delegated acts.

Article 93: Committee Procedure

The European Commission can set up a committee to oversee the GDPR.

Chapter 11: Final Provisions

Chapter 11: Final Provisions

Article 94: Repeal of Directive 94/46/EC

A previous European Union directive on data processing was repealed when the GDPR took effect. (A directive tells individual countries what they must put into domestic law, while a regulation like the GDPR has immediate legal effect across the EU in its own right.)

Article 95: Relationship With Directive 2002/58/EC

The GDPR doesn't create extra obligations in cases where people are already covered by the rules on electronic communications in Directive 2002/58/EC.

Article 96: Relationship With Previously Concluded Agreements

Any international agreements on transferring data to non-EU countries that were in place before 24 May 2016 remain in force until amended, replaced or revoked.

Article 97: Commission Reports

The European Commission must publish a report on the GDPR every four years from 2020 and onward, concentrating particularly on transfers to non-EU countries and the cooperation and consistency between supervisory authorities in different countries. It can propose amendments to the GDPR, particularly relating to changes in technology.

Article 98: Review of Other Union Legal Acts on Data Protection

The European Commission can propose changes to other EU directives and regulations to make sure they are consistent with the GDPR.

Article 99: Entry Into Force and Application

The GDPR took legal effect on 25 May 2018.