Recitals of the GDPR

The full text of the GDPR is made up of Articles and Recitals.

The Articles are the formal clauses of the law. The Recitals are accompanying notes that explain why the various measures of the GDPR were adopted, and what outcome they are meant to achieve.

Courts and other authorities can refer to the recitals when interpreting any ambiguity or dispute over the articles of the GDPR.

We'll summarize each of the Recitals below.

Recital 1: Data Protection as a Fundamental Right

EU citizens have a fundamental right to have their personal data protected.

Recital 2: Respect of the Fundamental Rights and Freedoms

Any rules on data protection should respect people's fundamental rights. This is necessary to help people and strengthen the EU's internal market.

Recital 3: Directive 95/46/ED Harmonisation

The existing Directive 95/46/EC (passed in 1995) aimed to standardise personal data rights across all EU countries. (A Directive is a set of principles that countries must incorporate into domestic law, unlike a Regulation, which has immediate legal effect across the EU.)

Recital 4: Data Protection in Balance with Other Fundamental Rights

The right to have personal data protected is fundamental but not absolute. It must be proportionally balanced against other rights such as privacy, freedom of expression and the right to a fair trial.

Recital 5: Cooperation Between Member States to Exchange Personal Data

The EU's internal market means more personal data is flowing across national borders. Some EU law requires national authorities to share personal data with their counterparts in other countries.

Recital 6: Ensuring a High Level of Data Protection Despite the Increased Exchange of Data

Technology means much more data can easily be used by public bodies and private businesses, with personal data crossing national borders and going to non-EU countries.

Recital 7: The Framework is Based on Control and Certainty

The EU's data protection framework is based on people controlling their personal data, and on people, businesses and public bodies having certainty about the law.

Recital 8: Adoption into National Law

Although the GDPR has legal force itself, countries can incorporate some of its measures into domestic laws if this aids legal clarity.

Recital 9: Different Standards of Protection by the Directive 95/46/EC

Different countries incorporated 95/46/EC in different ways. These differences meant people in different countries might not have the same level of protection and freedom. This was an obstacle to the EU's economic aims and could harm competition.

Recital 10: Harmonised Level of Data Protection Despite National Scope

The GDPR allows for some flexibility to account for specific needs in individual countries. In particular, countries can define categories of sensitive data (which have extra safeguards) based on their own circumstances.

Recital 11: Harmonisation of the Powers and Sanctions

The powers to monitor compliance with data protection rules and the sanctions for infringements needed to be stronger and more detailed to make sure personal data is protected effectively across the EU.

Recital 12: Authorization of the European Parliament and the Council

Article 16 of the Treaty on the Functioning of the EU gives the European Parliament and Council the power and responsibility to set personal data protection rules.

Recital 13: Taking Account of Micro, Small and Medium-Sized Enterprises

EU law needs to cover personal data protection but also allow free movement of personal data for competition reasons. Public bodies should take into account the specific needs of "micro, small and medium-sized" businesses when applying the GDPR.

Organizations with fewer than 250 employees are exempt from some of the GDPR's normal requirements on record keeping.

Recital 14: Not Applicable to Legal Persons

The GDPR covers natural persons (humans) regardless of their nationality or where they live. The GDPR doesn't cover "legal persons" such as corporations.

Recital 15: Technology Neutrality

Personal data protection should be the same regardless of the technology used for processing. The GDPR applies to automated processing, as well as manual processing that involves a filing system. It doesn't cover unstructured physical files.

Recital 16: Not Applicable to Activities Regarding National and Common Security

The GDPR doesn't cover data handling that relates to the EU's common foreign and security policy, or to activities that are outside of the EU's legal scope, such as national security.

Recital 17: Adaptation of Regulation (EC) No 45/2001

An existing EU Regulation, 45/2001, covers data processing by the European Union's own agencies, bodies, offices and institutions. This needed to be updated to reflect the principles of the GDPR and take effect at the same time.

Recital 18: Not Applicable to Personal or Household Activities

The GDPR doesn't cover data processing by individuals carrying out personal or household activities (as opposed to professional or commercial activities). For example, it doesn't cover social networking or having an address book for personal correspondence.

However, the GDPR does cover data controllers and processors who provide the means for such activity, for example social network operators or online address book services.

Recital 19: Not Applicable to Criminal Prosecution

The existing Directive (EU) 2016/680 covers public bodies processing personal data for "prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."

This activity doesn't fall under the GDPR. However, personal data processing by such bodies for other purposes will fall under the GDPR. Countries may need their own rules to cover this situation.

Recital 20: Respecting the Independence of the Judiciary

Supervisory authorities shouldn't oversee data processing done by courts and other judicial authorities acting in their judicial capacity, as this could compromise their independence.

Instead, judicial systems need their own processes for ensuring compliance with the GDPR.

Recital 21: Liability Rules of Intermediary Service Providers Shall Remain Unaffected

The GDPR doesn't override or restrict the application of the existing Directive 2000/31/EC. This Directive protects the free movement of "information society services" across national borders.

Recital 22: Processing by an Establishment

The GDPR covers personal data processing by an organization that is established in the EU, meaning it has real activities there.

It doesn't matter if the processing itself physically takes place outside the EU. It doesn't matter if the organization established in the EU is a subsidiary or branch of a larger company that is based outside the EU.

Recital 23: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Targeted

The GDPR applies if the data processing relates to an offer of goods or services to somebody in an EU country. This is the case even if there's no charge for the goods or services, or if the data controller or processor is in a non-EU country.

Factors such as the language of the website and the currency of any prices can help settle any ambiguity on this point.

Recital 24: Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Profiled

The GDPR applies when data processing involves monitoring somebody's activities in a European Union country, regardless of where the data controller or processor is established.

Recital 25: Applicable to Processors due to International Law

The GDPR applies whenever somebody is subject to an EU country's domestic law despite not being established in the EU. Examples include diplomatic missions and consular posts.

Recital 26: Not Applicable to Anonymous Data

The GDPR only covers information about an identified or identifiable person. This includes pseudonymization where data about somebody could be combined with other information to identify them.

The GDPR doesn't cover processing of completely anonymous data.

Recital 27: Not Applicable to Data of Deceased Persons

The GDPR doesn't cover the personal information of dead people. National laws may cover this information.

Recital 28: Introduction of Pseudonymisation

Pseudonymization can reduce the risk of data breaches. However, it being mentioned in the GDPR doesn't mean other measures aren't useful or necessary.

Recital 29: Pseudonymisation at the Same Controller

Data controllers that use pseudonymized data must keep this data separate from other information that could identify the data subject.

Recital 30: Online Identifiers for Profiling and Identification

An individual could be associated with an online identifier such as an IP address, cookie or RFID tag. This could be combined with other information to identify a person and build up a data profile.

Recital 31: Not Applicable to Public Authorities in Connection With Their Official Tasks

The GDPR doesn't cover cases where public authorities receive data as part of their official work. Examples include tax authorities and financial market authorities. Other data protection laws could still apply to public authorities.

Recital 32: Consent

Consent must be clear, affirmative and unambiguous. This includes actions such as ticking a box, changing settings or making a statement.

A lack of action or failure to opt-out is not sufficient for consent.

Individuals must give separate consent to each different purpose for processing data.

Recital 33: Consent to Certain Areas of Scientific Research

Data subjects can consent to their data being processed for an area of scientific research rather than a specific purpose. This process should follow ethical standards for scientific research.

Recital 34: Genetic Data

Genetic data is any personal data that covers somebody's inherited or acquired genetic characteristics. It can come from analysis of a biological sample involving chromosomes, DNA or RNA, or anything else giving equivalent information.

Recital 35: Health Data

For the purposes of the GDPR, health data is anything about a person's current or future health status, either physical or mental.

This includes identity numbers, test results and medical history among other information. It doesn't matter where the information came from.

Recital 36: Determination of the Main Establishment

The main establishment of a data controller in the EU is the place where it makes decisions on what data to process and how. It doesn't matter where the processing itself takes place.

The main establishment of a data processor in the EU is its place of central administration. If it doesn't have one, it's where the main processing activities happen.

If a case involves both a data controller and a data processor, the lead supervisor authority in the country of the data controller's main establishment is in charge. The supervisory authority covering the data processor's main establishment can and should take part in the case.

Recital 37: Enterprise Group

A group of undertakings means a controlling undertaking which has a "dominant influence" over other undertakings. This could be through financial, legal or procedural arrangements, including the power to control the data processing carried out by the other undertakings.

Recital 38: Special Protection of Children's Personal Data

Children's personal data rights need special protection. This may mean specific rules and implementation, particularly in cases involving services offered directly to children.

Normal parental consent rules shouldn't apply for data processing involving counselling and preventive services offered to children.

Recital 39: Principles of Data Processing

Personal data processing must be lawful and fair, which requires transparency about what data is collected, by whom, and how it's used. As part of this transparency, any information about data processing must be accessible and clearly written.

People must know their rights regarding data collection. At the point the data is collected, people must be told the purpose of collection.

Data should only be collected where necessary for the stated purpose and only used while this purpose applies. This may require regular reviews.

Inaccurate data must be corrected or deleted.

Processing must be done with appropriate security and confidentiality, including preventing unauthorized access.

Recital 40: Lawfulness of Data Processing

Personal data processing is only lawful if one of the following applies:

• The data subject has consented
• Another legitimate basis (under GDPR or another law) applies
• The controller has to process the data because of a law or as part of a contract

Recital 41: Legal Basis or Legislative Measures

When the GDPR refers to a "legal basis" or a "legislative measure" this doesn't necessarily have to be a law passed by a parliament. However, the legal requirement must be clear to everyone affected.

Recital 42: Burden of Proof and Requirements for Consent

It's the data controller's responsibility to prove the data subject has given consent and understood what they were doing. The data subject must know the identity of the data controller and the purposes of the data use.

Consent only counts if the data subject can freely choose to give, refuse or withdraw consent without negative consequences.

Recital 43: Freely Given Consent

Consent won't count if there's an imbalance between the data subject and the controller that could mean the data subject didn't give consent freely.

Consent doesn't count as freely given if the data subject has to agree to all processing purposes (rather than decide individually for each purpose). Neither does it count if giving consent is a requirement of a contract even though getting the consent isn't necessary to provide the product or service.

Recital 44: Performance of a Contract

It's lawful to process data if doing so is necessary as part of a contract or the intention to enter into a contract.

Recital 45: Fulfillment of Legal Obligations

If a data controller's grounds for processing data is that doing so is a legal requirement, it should be clear which law or laws apply. Those laws may set down their own restrictions on who can process data and in what way.

Recital 46: Vital Interests of the Data Subject

It's lawful to process data to protect somebody's vital interests - in effect, to protect their life.

This should only apply when there's no other legal basis to process data. Examples include monitoring epidemics.

Recital 47: Overriding Legitimate Interest

A data controller may be able to process data on the basis of its "legitimate interests." This could include a business relationship with a customer, preventing fraud, or direct marketing.

The data subject's fundamental rights and freedoms may override the legitimate interests basis. This may depend on the data subject's reasonable expectations about the use of their data.

Recital 48: Overriding Legitimate Interest Within Group of Undertakings

Legitimate interests can include a transfer of data between connected businesses (part of a "group of undertakings") for internal administration. This doesn't affect the GDPR's rules on transfers to non-EU countries.

Recital 49: Network and Information Security as Overriding Legitimate Interest

Legitimate interests can include data processing that's necessary to maintain network and information security, including preventive measures.

Recital 50: Further Processing of Personal Data

It's only lawful to process data for the purposes stated when getting consent. A data controller can process the data again later on as long as it's in a way compatible with the stated purposes.

Normally the data controller needs fresh consent if they want to process the data later on for a different purpose. The only exception is if doing so is necessary to safeguard important public interests or public security.

Recital 51: Protecting Sensitive Personal Data

Some personal data is particularly sensitive and requires special protection. This can include data on racial and ethnic origin.

Sensitive data should only be processed where doing so is specifically allowed under the GDPR or an EU country's domestic law, and all other measures of the GDPR should still apply.

Two exceptions to this principle are if the data subject has explicitly consented, or if the processing is part of the legitimate activities of an organization that aims to protect fundamental rights and freedoms.

Recital 52: Exceptions to the Prohibition on Processing Special Categories of Personal Data

Both the GDPR and national laws can make exceptions (derogations) to the normal ban on processing sensitive data. This is limited to cases where the processing is in the public interest, with examples including employment law, health purposes, research, statistics and legal proceedings.

Recital 53: Processing of Sensitive Data in Health and Social Sector

Exemptions to the ban on processing personal data should only be allowed in a health context where doing so is necessary to benefit people and society as a whole.

To make sure this happens, the GDPR sets out conditions that apply across all EU countries. Individual countries can make their own laws with additional rules on processing genetic, biometric and health data, though these shouldn't restrict the free movement of personal data across borders.

Recital 54: Processing of Sensitive Data in Public Health Sector

In some cases it may be needed to process sensitive data without consent for public health reasons. These cases need specific measures to protect people's rights and freedoms.

For these situations, the definition of "public health" should be as listed in Regulation (EC) No 1338/2008. Such processing shouldn't lead to third parties being able to process the data for other reasons.

Recital 55: Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities

Processing personal data is lawful if it's done by a recognized religious association pursuing its aims under national or international law.

Recital 56: Processing Personal Data on People's Political Opinions by Parties

Political parties can process personal data about people's political opinions as long as appropriate safeguards are in place.

Recital 57: Additional Data for Identification Purposes

Data controllers don't need to get extra information to identify somebody solely to comply with the GDPR. However, they shouldn't refuse to take this information if it is provided.

Data subjects can be identified digitally, for example by log-in details to an online service.

Recital 58: The Principle of Transparency

The transparency principle means information about privacy must be clear and concise. This could include visualizations and electronic communications. That's particularly relevant on websites where data subjects might not know who is collecting what data, for example with third-party advertising.

Information about privacy aimed at a child must be written so they can understand.

Recital 59: Procedures for the Exercise of the Rights of the Data Subjects

Data controllers must give data subjects a way to exercise their rights under the GDPR, including electronically where appropriate, without a charge. Data controllers must respond to requests as quickly as possible and always within one month. If they refuse a request they must say why.

Recital 60: Information Obligation

Data subjects must be made aware of all of the following:

• The fact processing exists
• Whether the data controller uses profiling
• Whether the data subject has to provide the data
• What happens if they don't

This information could include standardized icons so users can see what's happening at a glance.

Recital 61: Time of Information

The data subject must get details of how their data will be used at the time it's collected, not afterwards.

If the data controller gets data from a third party, they must tell the data subject within a reasonable period.

If the data controller passes data on to a third party, they must tell the data subject immediately.

If the data controller wants to use the data for a different purpose to what they originally stated, they must tell the data subject beforehand.

Recital 62: Exceptions to the Obligation to Provide Information

Data controllers don't have to provide information about data processing if the data subject already has the information, or if providing it is impossible or would involve "disproportionate effort." This could happen particularly with data used for research and statistics.

Recital 63: Right of Access

Data subjects have the right to access and check data about them, including health data. This could include what data is involved, how long it has been processed for, who has the data, and whether it's used for automated processing and profiling.

Where possible, the data subject should be able to access the data directly, though this shouldn't override anyone's intellectual property rights.

If the data controller has a lot of data about a data subject, they can ask the data subject to be specific about what information they want to access.

Recital 64: Identity Verification

The data controller should verify the identity of a data subject requesting information, particularly online.

The data controller shouldn't store any personal information solely for responding to a potential access request.

Recital 65: Right of Rectification and Erasure

Data subjects should be able to correct errors in the personal data about them. They should also be able to ask for data to be deleted as part of their "right to be forgotten" under EU or national laws.

Examples of when this could happen include:

• The data is no longer needed for the original stated purpose
• The data subject has withdrawn consent
• The data isn't being processed lawfully
• The data subject gave consent as a child and didn't understand the consequences

A data controller could refuse such a request if they need to keep the data for one of the following reasons:

• To exercise freedom of expression and information
• To comply with the law
• To carry out a task through official authority or in the public interest
• To uphold the public interest on a public health matter
• For archiving or statistical purposes
• As part of a legal claim or defense

Recital 66: Right to be Forgotten

If a data subject exercises the "right to be forgotten," the data controller should tell anyone else who processes the data to delete any links to, and copies of, the data. The controller must take all reasonable steps to do this based on the available technology.

Recital 67: Restriction of Processing

Ways of restricting personal data to comply with a measure under the GDPR include moving it to another processing system, making it unavailable or taking it down from a website.

Whatever method is used, it should no longer be possible to process or change the data, and it should be clearly labelled as off-limits for processing.

Recital 68: Right of Data Portability

Data subjects have the right to data portability, meaning to get a copy of their data in a "structured, commonly used, machine-readable and interoperable format" that they can pass on to another data controller. If possible, the data should go directly from one data controller to the other. This doesn't mean either data controller is forced to use a particular format.

This right only covers cases where the processing was based on consent or to carry out a contract. It doesn't cover other reasons for processing, in particular processing while carrying out public duties or legal obligations.

This doesn't affect any of the data subject's other rights. For example, they still have the right to ask for the original data controller to delete the data (after providing the copy).

Recital 69: Right to Object

If the data controller is processing for a legal basis other than consent, the data subject has the right to object. If that happens, the controller must prove that its need to process the data overrides the data subject's rights and freedoms.

Recital 70: Right to Object to Direct Marketing

The data subject always has the right to object to their data being processed for direct marketing (and any related profiling). This right is absolute and the data controller must comply immediately. The data controller must clearly explain and highlight this right to the data subject.

Recital 71: Profiling

Data subjects have the right not to be subjected to a decision based entirely on automatic processing that has legal or other significant effects on them. This includes profiling and attempts to predict the data subject's activity.

EU and national law can create exemptions for specific circumstances such as fighting tax evasion or fraud. These exemptions must follow any relevant regulations and standards.
Even where the exemptions apply, such processing must have safeguards, must allow the data subject to demand a human intervention, and cannot involve children.

Any automated processing must include technical measures designed to reduce the risk of errors, correct any inaccuracies, secure the data, and avoid discrimination.

Automated decision-making involving sensitive data will need special restrictions.

Recital 72: Guidance of the European Data Protection Board Regarding Profiling

The European Data Protection Board (set up by the GDPR) can issue guidance on rules for profiling.

Recital 73: Restrictions of Rights and Principles

EU and national laws can restrict the rights people have under the GDPR if doing so is necessary to protect public security and the public interest. This could include disaster response, national economic interest, and public health purposes.

Such restrictions must follow the EU's Charter of Fundamental Rights and the European Convention on Human Rights.

Recital 74: Responsibility and Liability of the Controller

The GDPR sets out the data controller's responsibility and liability for any data processing done by them or on their behalf. They need to use appropriate measures to comply with the GDPR and show how these measures work.

Recital 75: Risks to the Rights and Freedoms of Natural Persons

The GDPR addresses the physical and non-physical risks to people from data processing.

Examples include:

• Discrimination
• Identity theft, fraud and other less
• Loss of confidentiality
• Having sensitive information revealed
• Being profiled based on personal aspects
• Vulnerable people's data being processed, including children

Recital 76: Risk Assessment

Assessing the risk of data processing should be done objectively and take into account the context and scope of the processing. The assessment should distinguish between "risk" and "high risk."

Recital 77: Risk Assessment Guidelines

Risk assessment should follow guidelines, which could include codes of conduct or certification programs. The European Data Protection Board could issue guidelines to say that some types of processing won't normally be classed as "high risk."

Recital 78: Appropriate Technical and Organisational Measures

The data controller must use technical and organizational measures to comply with the GDPR.

These measures should follow the "data protection by design" and "data protection by default" principles. This means taking account of data protection when designing processing systems.

Public tendering could require such measures.

Recital 79: Allocation of the Responsibilities

The GDPR requires a clear allocation of responsibilities between a data controller, any other data controllers they work with, and any data processors who work on their behalf (and follow their instructions).

Recital 80: Designation of a Representative

If a data controller or processor is based outside the EU but still falls under the GDPR (because it offers goods or services there), it should designate in writing a representative who is in the EU. The representative should act on their behalf in dealing with supervisory authorities. The data controller or processor still remains liable for any breaches.

The only exception to this requirement is if the controller or processor only processes data about EU citizens rarely and not involving sensitive data or data relating to criminal convictions.

Recital 81: The Use of Processors

Data controllers must only use data processors who can prove they can comply with the GDPR. Code of conducts and certification programs could help with this.

The controller must have a binding contract with the processor under EU or national law that sets out the processor's responsibilities.

Unless a law says otherwise, the processor must delete or return the data once they've finished processing it.

Recital 82: Record of Processing Activities

The data controller or processor (or both) must keep records of the processing done on behalf of the controller. They must provide these records to the supervisory authority on request.

Recital 83: Security of Processing

The data controller or processor must use security measures to mitigate the risks of processing such as loss or alteration of data and unauthorised access or disclosure. The measures should be appropriate given the sensitivity of the data and the costs of the security.

Recital 84: Risk Evaluation and Impact Assessment

If it's likely data processing poses a "high risk" to people's rights and freedoms, the data controller must carry out a data protection impact assessment. This should influence the choice of security measures.

If the high risk can't be mitigated because appropriate security measures are too expensive or technically impossible, the controller must consult the supervisory authority before processing the data.

Recital 85: Notification Obligation of Data Breaches to the Supervisory Authority

Personal data breaches can cause physical and non-physical damage to data subjects, including financial loss and a loss of confidentiality. A data controller must tell the supervisory authority about any breach as soon as possible, usually within 72 hours.

If they take more than 72 hours, they must explain why.

Recital 86: Notification of Data Subjects in Case of Data Breaches

Data controllers must tell data subjects about a breach as soon as possible if it creates a high risk of harm to the individual. The notification should explain the nature of the breach and tell the data subject anything they can to do mitigate it.

Data controllers should follow the guidance of the supervisory authority and law enforcement about the timing of a notification. For example, it may be a better use of resources to put new security measures in place before notifying data subjects.

Recital 87: Promptness of Reporting/Notification

It may be necessary to check that a data controller has suitable technical and organizational measures to make sure they both discover any breach and report it to the supervisory authority promptly.

The nature of the breach and the potential consequences could affect whether the timing of a notification counts as "without undue delay."

The supervisory authority may intervene after receiving a breach notification.

Recital 88: Format and Procedures of the Notification

The rules about how data breaches are notified should take into account the circumstances of the breach. These include whether the data controller used technical measures to limit the risk of identity fraud, and whether law enforcement activity could be harmed by an early disclosure of a breach.

Recital 89: Elimination of the General Reporting Requirements

Directive 95/46/EC said supervisory authorities had to be told about all data processing. That was costly and time-consuming but didn't always bring benefits.

The GDPR scraps that rule and instead says supervisory authorities only need to be told in advance about types of processing that create a high risk to data subjects, particularly new processing methods that haven't been put through a data protection impact assessment.

Recital 90: Data Protection Impact Assessment

Data protection impact assessments should cover the likelihood and severity of risk, taking into account measures that mitigate the risk.

Recital 91: Necessity of a Data Protection Impact Assessment

Situations where a data protection impact assessment could be needed include:

• Large-scale processing (both the volume of data and the number of people) that may create a high risk
• Data processing used in profiling people based on personal aspects or sensitive data
• Large scale monitoring such as CCTV in public places, particularly where it's not practical to opt out of data collection

This doesn't cover cases where a single health professional or lawyer has data about multiple clients or patients.

Recital 92: Broader Data Protection Impact Assessment

Sometimes a data protection impact assessment might need to be broader than covering a single project. This could involve multiple public authorities or data controllers setting up a common processing system, for example to cover an entire industry sector.

Recital 93: Data Protection Impact Assessment at Authorities

A country that makes a law requiring specific data processing may need to carry out a data protection impact assessment before the processing starts.

Recital 94: Consultation of the Supervisory Authority

If a data protection impact assessment shows there's a high risk of harm to data subjects, but it's not financially or practically possible to mitigate that risk, the data controller must consult the supervisory authority before starting the processing.

The supervisory authority should normally respond within a set period. However, failing to respond in time doesn't affect the supervisory authority's ongoing powers, including banning the processing later on.

Recital 95: Support by the Processor

Data processors must help data controllers take any steps that become necessary after a data protection impact assessment or consultation of the supervisory authority.

Recital 96: Consultation of the Supervisory Authority n the Course of a Legislative Process

Supervisory authorities should be consulted when preparing a law or regulation that would lead to personal data processing to make sure that processing complies with the GDPR and any risk is mitigated.

Recital 97: Data Protection Officer

The following need a dedicated data protection officer:

• Public authorities (except court and judicial authorities) that process personal data
• Private businesses whose core activity involves regular and systematic processing of personal data
• Private businesses whose core activity involves large scale processing of sensitive personal data or data about criminal convictions and offenses

The data protection officer should have an appropriate level of expertise based on the data being processed and the protection this requires.

Recital 98: Preparation of Codes of Conduct by Organisations and Associations

Bodies representing controllers or processors should be encouraged to draw up codes of conduct. These could cover particular types of processing and the specific needs of different sized businesses.

The codes of conduct should set obligations for controllers and processors based on the risk their processing involves.

Recital 99: Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct

Bodies writing or changing a code of conduct should consult stakeholders, including data subjects, and take notice of what they say.

Recital 100: Certification

Certification programs, including seals or marks, could help data subjects quickly assess the level of data protection available in a particular circumstance.

Recital 101: General Principles for International Data Transfers

For international trade to expand, personal data has to go back and forth between EU countries, non-EU countries and international organizations. This shouldn't undermine the protections under the GDPR. Such data transfers must fully comply with the GDPR, including specific conditions on transfers.

Recital 102: International Agreements for and Adequacy Decision

The EU can make international agreements with non-EU countries about data transfers. GDPR doesn't restrict these agreements.

Individual EU countries can make an international agreement with a non-EU country or international organization about data transfers, but these agreements must comply with the GDPR and other EU laws, particularly the requirements to protect data subjects.

Recital 103: Appropriate Level of Data Protection Based on an Adequacy Decision

The European Commission can make an "adequacy decision" about an international organization, non-EU country, or a territory or region of a non-EU country.

This decision means the EU considers that organization, country or area offers an adequate level of data protection. In turn that means it's alright to transfer data from the EU to that organization, country or area without further authorization.

The Commission can revoke an adequacy decision if it explains why.

Recital 104: Criteria for an Adequacy Decision

When making an adequacy decision, the European Commission should take into account the respect for the rule of law and human rights in the country or region in question. It should also apply objective standards to assess the rules covering data processing in that place.

The main principle is that an adequacy decision is about whether the country or region offers a level of protection for personal data equivalent to that in the EU, including independent supervision and enforceable rights.

Recital 105: Consideration of International Agreements for an Adequacy Decision

When making an adequacy decision, the Commission should take into account whether the third country is part of any international agreements on personal data, particularly the Council of Europe's Convention 108.

Recital 106: Monitoring and Periodic Review of the Level of Data Protection

After granting an adequacy decision, the European Commission should periodically review whether it is still justified for the country or region in question, taking into account the views of the European Parliament and Council.

Recital 107: Amendment, Revocation and Suspension of Adequacy Decisions

If the European Commission revokes an adequacy decision, personal data transfers to that country or region are no longer allowed without the appropriate safeguards required by the GDPR.

The Commission should consult with the country in question on what changes will allow the adequacy decision to be restored.

Recital 108: Appropriate Safeguards

If a non-EU country isn't covered by an adequacy decision, data transfers to it must have appropriate safeguards. These include the following:

• Binding corporate rules
• Standard data protection clauses adopted by the European Commission or a supervisory authority
• Contractual clauses authorised by a supervisory authority

Such safeguards should ensure the processing in the non-EU country meets the GDPR's requirements, particularly enforceable rights for data subjects and the principles of data protection by design and by default.

A supervisory authority's approval is needed for any safeguards that aren't legally binding.

Recital 109: Standard Data Protection Clauses

A data controller or processor that uses a standard data protection clause adopted by the European Commission or a supervisory authority can do so as part of a wider contract. This contract can have other clauses about data protection, as long as they don't contradict the standard clause.

Recital 110: Binding Corporate Rules

Data transfers to outside the EU are allowed if they are between a group of undertakings (eg parent companies and subsidiaries) or a group of enterprises in a joint economic activity, as long as they use binding corporate rules to ensure appropriate safeguards.

Recital 111: Exceptions for Certain Cases of International Transfers

The GDPR should allow for data transfers to outside the EU without an adequacy decision or specific safeguards in the following circumstances:

• The data subject has explicitly consented to the transfer
• It's an occasional transfer that's necessary because of a contract or legal claim
• The transfer is necessary in the important public interest
• The transfer is from a legally established register and the recipient has a legitimate interest in the data. (In this case, the transfer should only cover the specific data the recipient needs.)

Recital 112: Data Transfers due to Important Reasons of Public Interest

The exemption for transfers necessary in the important public interest covers situations such as data shared between national authorities covering competition, tax, financial supervision, social security and public health.

It also covers transfers necessary to protect somebody's vital interests such as their life, or transfers to a humanitarian organisation working under the Geneva conventions. In both cases, this is only allowed if the person is incapable of giving consent.

Unless an adequacy decision applies, either EU or national law can set specific limits on transfers of a specific category of data.

Recital 113: Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects

A data transfer outside the EU without an adequacy decision or the usual safeguards could be allowed if all five of the following apply:

• The transfer is not repetitive
• It covers a limited number of data subjects
• It's necessary for the controller's "compelling" legitimate interests
• These legitimate interests override the data subject's rights and freedoms
• The controller has fully assessed the circumstances before going ahead

The data controller must tell the supervisory authority and the data subject about such a transfer.

Recital 114: Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision

If the European Commission is yet to consider an adequacy decision about a particular non-EU country, then regardless of any other requirements, the data controller or processor must actively safeguard the data subject's rights before transferring data to that country.

Recital 115: Rules in Third Countries Contrary to the Regulation

Some non-EU countries have laws or regulations which they claim regulate data processing involving people in the EU. These laws or regulations may say a data controller or processor has to transfer data outside the EU.

Without an international agreement, these laws or regulations may breach international law. Because of this, data controllers and processors should only transfer data outside of the EU when this meets the conditions of the GDPR. They can't breach GDPR just to meet the non-EU country's law or regulation.

Recital 116: Cooperation Among Supervisory Authorities

Data transfers outside the EU may make it harder for individuals to exercise their rights and for supervisory authorities to protect these rights. To deal with this problem, supervisory authorities and the European Commission should work with authorities in non-EU countries on data protection.

Recital 117: Establishment of Supervisory Authorities

Having independent supervisory authorities in each EU country is essential to protect personal data rights. Countries should be allowed to set up more than one supervisory authority, for example if relevant to their administrative set-up or constitution.

Recital 118: Monitoring of the Supervisory Authorities

Although supervisory authorities are independent, their financial expenditure can still be controlled or monitored, and they are still subject to judicial review.

Recital 119: Organisation of Several Supervisory Authorities of a Member State

If a country has multiple supervisory authorities it should have a legal mechanism for how they work together. It should designate one supervisory authority as the contact point for working with authorities in other countries.

Recital 120: Features of Supervisory Authorities

Supervisory authorities should have the necessary resources for their work, including staff, premises and finance. They should have their own public annual budget.

Recital 121: Independence of the Supervisory Authorities

Countries should have laws on how supervisory authorities are transparently appointed. This could be by the parliament or government. It could also be by the head of state, but based on a proposal of a parliament, government or independent body.

During their term of office, the members should not do anything, or take any job, that compromises their independence.

Either the supervisory authority should choose its own staff, or an independent body set up by national law should do so.

Recital 122: Responsibility of the Supervisory Authorities

A supervisory authority should have the power and responsibility within the country to carry out its duties under the GDPR. This includes overseeing:

• Processing by controllers and processors in the country
• Processing by public authorities and other bodies in the public interest
• Processing that affects data subjects in the country
• Processing by controllers and processors that are outside the EU but target data subjects in the country

The work also includes handling complaints by data subjects and raising public awareness on data processing issues.

Recital 123: Cooperation of the Supervisory Authorities with Each Other and with the Commission

Supervisory authorities across the EU should cooperate with each other and with the European Commission without needing any formal agreements between countries.

Recital 124: Lead Authority Regarding Processing in Several Member States

Sometimes supervisory authorities from different countries work together on a case involving a data controller or processor. When this happens, one should act as lead authority. This should be a supervisory authority from the country of the controller or processor's main establishment.

The lead supervisory authority should work with any other supervisory authority that meets one of the following criteria:

• The data controller or processor has an establishment in that authority's country
• The processing in question substantially affects data subjects in that authority's country
• A data subject has complained to the authority about the data controller or processor

The European Data Protection Board can issue guidelines on how to resolve any confusion or dispute on these points.

Recital 125: Competences of the Lead Authority

The lead authority has the power and responsibility to make binding decisions about the case, but should work closely with the other supervisory authorities in doing so.

If the binding decision is to reject all or part of a complaint, the supervisory authority which received the complaint must carry out the decision.

Recital 126: Joint Decisions

The lead authority should jointly agree decisions with other supervisory authorities involved in a case, then direct a binding decision to the main establishment of the data controller or processor, who must comply with it.

Recital 127: Information of the Supervisory Authority Regarding Local Processing

The normal rules requiring a lead authority work differently in a case where all of the following apply:

• The data controller or processor is established in multiple EU countries
• The processing in question only happens in one country
• The processing only covers data subjects in that country

In this situation, the supervisory authority in that country should ask the lead supervisory authority to decide whether:

• The lead supervisory authority will oversee the case, working with the local supervisory authority in the normal way and taking notice of its suggested decision, or
• The local supervisory authority should handle the case itself

Recital 128: Responsibility Regarding Processing in the Public Interest

The lead supervisory authority set-up doesn't apply if the processing is done by a public or private body in the public interest. Only a supervisory authority in that body's country can handle the case.

Recital 129: Tasks and Powers of the Supervisory Authority

To make sure the rules apply consistently across the EU, supervisory authorities should all have the same tasks and powers, including investigation and sanctions such as a temporary or permanent ban on processing data.

This doesn't limit the rights of prosecutors in a country to take action under that country's laws on data processing; nor does it remove the possibility of judicial review.

Supervisory authorities must follow national and local laws, acting impartially and fairly. Anyone accused of a breach has the right to make their case before receiving a sanction. Judgments must be explained clearly in writing with reasons.

Recital 130: Consideration of the Authority with which the Complaint has been Lodged

If a lead supervisory authority handles a case stemming from a complaint, it must keep the supervisory authority which originally received the complaint informed about its work. It must take account of that supervisory authority's opinion when considering any punishment.

Recital 131: Attempt of an Amicable Settlement

If a lead supervisory authority handles a case stemming from a complaint, it's sometimes appropriate for the supervisory authority which originally received the complaint to try to reach an amicable settlement with the data controller or processor.

This could happen where the complaint only covers processing activities in the country where the complaint was made, and where the issue (and any outcome) doesn't affect data subjects in the other country.

Recital 132: Awareness-Raising Activities and Specific Measures

When supervisory authorities try to raise public awareness on data processing issues, they should make sure to address data controllers and processors of different sizes, as well as data subjects.

Recital 133: Mutual Assistance and Provisional Measures

Supervisory authorities should work together. If a supervisory authority asks another supervisory authority for help and doesn't get a response within a month, it can adopt a provisional measure.

Recital 134: Participation in Joint Operations

Supervisory authorities should carry out joint operations where possible. A supervisory authority asked to do so must respond within a specified time.

Recital 135: Consistency Mechanism

The GDPR needs a consistency mechanism to cover how supervisory authorities work together and settle any dispute.

This mechanism should apply whenever a supervisory authority or European Commission asks. It should also apply whenever a supervisory authority plans a measure with legal effects that covers data processing of a large number of people in multiple EU countries.

The mechanism doesn't restrict the Commission's existing powers.

Recital 136: Binding Decisions and Opinions of the Board

The European Data Protection Board should consider a matter and issue an opinion under the consistency mechanism if a supervisory authority, the European Commission or a majority of board members asks it to do so.

The Board can make a legally binding decision to settle any dispute between supervisory authorities, particularly two working on the same case. This decision needs a two-thirds majority of the Board.

Recital 137: Provisional Measures

Sometimes urgent action is needed to protect data subject's rights and freedoms. To cover this, a supervisory authority can adopt a provisional measure that only covers its country or region and has effect for no more than three months.

Recital 138: Urgency Procedure

A provisional measure must follow the rules in Recital 137 to have legal power in the country concerned. Cases that involve multiple countries will require cooperation between supervisory authorities and may trigger the consistency mechanism.

Recital 139: European Data Protection Board

The European Data Protection Board should be a European Union body with a legal personality (represented by its Chair) and be legally and operationally independent. Its role is to promote cooperation between countries and supervisory authorities.

It should be made up of the head of a supervisory authority from each EU country, plus the European Data Protection Supervisor.

The European Commission should take part in the Board's activities but not be a member or have voting rights.

Recital 140: Secretariat and Staff of the Board

The European Data Protection Supervisor should provide staff (a "secretariat") to carry out the Board's work. These staff should report to, and follow the instructions of, the Chair of the Board.

Recital 141: Right to Lodge a Complaint

Any data subject who believes their rights under the GDPR have been infringed has the right to complain to a supervisory authority and request an effective judicial remedy.

The supervisory authority must carry out an appropriate investigation and tell the data subject about the case's progress and outcome within a reasonable time.

Supervisory authorities can and should offer a standardized way to complain such as an online form, though this doesn't exclude other ways of complaining.

Recital 142: The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association

A data subject can give a non-profit organization that deals with personal data a mandate to complain on its behalf.

Individual countries can allow such organizations to make complaints on behalf of data subjects without needing a mandate.

Organizations can't claim compensation of a data subject's behalf without getting a mandate first.

Recital 143: Judicial Remedies

Both people and legal persons (such as businesses) have the right to challenge any decision of the European Data Protection Board through the European Court of Justice's process for reviewing the legality decisions.

The deadline for doing so for supervisory authorities is two months after being notified of the decision. For anyone else, the deadline is two months after the decision is published online.

Separate to the European Court of Justice option, anyone subject to legal effects from a supervisory authority's decision should have the right to challenge it in the courts of the country where the supervisory authority is established. This right doesn't cover opinions and advice issued by a supervisory authority.

If a supervisory authority rejects a complaint, the complainant can challenge the decision in the courts of the country where the supervisory authority is established.

National courts can apply to the European Court of Justice for a preliminary ruling when the ECJ's opinion is likely to be relevant. National courts must do this if a case involves the validity of a decision made by the European Data Protection Board.

Recital 144: Related Proceedings

If a court reviewing a decision made by a supervisory authority discovers another court is handling a case involving the same data processing, it must contact that court.

When this happens, any court other than the first to start a case can continue hearing its own case, pause its case, or reject the case and rule that another court has jurisdiction.

The principle in such situations is to reduce the risk of two courts issuing irreconcilable judgments about the same situation.

Recital 145: Choice of Venue

Normally anyone bringing a case against a data controller or processor can decide whether to take action in their own country or a country where the controller or processor has an establishment.

The exception is processing by a public authority of a country exercising its public powers. In that situation, the case must be brought in the public authority's country.

Recital 146: Indemnity

If a controller or processor is responsible for damage caused by processing which breaches the GDPR (or any laws and regulations that implement the GDPR), it must compensate the person or people for the damage. This doesn't affect any claims for damage involving laws other than the GDPR.

If the processing involves a controller and a processor, both are individually liable for the full damage amount. However, national laws can decide how to split responsibility for the damages, as long as the data subject still gets the full amount. If a controller or processor has to pay the full damages, they can sue other controllers or processors involved to recover some of the costs.

Recital 147: Jurisdiction

In cases where somebody is seeking a judicial remedy against a controller or processor, any specific rules on jurisdiction in the GDPR override general EU rules on jurisdiction.

Recital 148: Penalties

Supervisory authorities can issue penalties alongside or in place of any other measures laid down in the GDPR. This can be a fine. In cases of minor infringements or where a fine would be disproportionate on an individual, a reprimand can replace a fine.

The penalty should take into account factors such as:

• The seriousness of the infringement
• Whether it was intentional
• Any measures to mitigate the damage
• Previous infringements
• Whether the infringer reported the breach and/or cooperated with a supervisory authority
• Whether the infringer complies with a code of conduct

Recital 149: Penalties for Infringements of National Rules

EU countries can set their own rules for criminal penalties for breaching the GDPR and national laws.

This can include fines designed to recover the profits that stemmed from the infringement.

The exercise of the supervisory authority's powers to fine people and the country's powers to issue criminal penalties shouldn't mean an infringer is financially penalised twice for the same offense. This would breach a principle known as "ne bis in idem."

Recital 150: Administrative Fines

Supervisory authorities have the power to issue administrative fines (meaning a penalty beyond compensating the data subject.) The GDPR should set out the upper limits for specific infringements and the criteria for setting a fine, taking into account factors such as those detailed in Recital 148.

In cases involving breaches by undertakings, the decision of exactly who the fine applies to should follow the principles of Articles 101 and 102 of the Treaty on the functioning of the European Union.

Fines on individuals should take into account income levels in their countries.

Recital 151: Administrative Fines in Denmark and Estonia

Denmark and Estonia's legal systems don't allow for administrative fines. Infringements of the GDPR in Denmark could lead to fines imposed by national courts as criminal penalties. The courts should take into account the recommendation of the supervisory authority when imposing the penalty.

In Estonia, infringements could lead to a fine by the supervisory authority through a misdemeanour procedure.

Recital 152: Power of Sanction of the Member States

For serious infringements of the GDPR, individual EU countries should be able to issue criminal or administrative penalties that are effective, proportionate and dissuasive.

Recital 153: Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression

Individual EU countries should make exceptions to the GDPR to balance it with their own rules on freedom of expression and Article 11 of the Charter of Fundamental Rights. This could involve journalism, academic work, art and literary expression.

The exceptions should come through national laws. Where laws differ from country to country, the law of the country that covers the actions of the data controller apply.

Recital 154: Principle of Public Access to Official Documents

The application of the GDPR should take into account a country's principle and rules on public access to official documents. EU and national laws should reconcile these rules with the GDPR. Generally if a country has rules that say a public body must disclose personal data it holds, those rules should continue to apply.

This doesn't cover any documents where access is already excluded.

Recital 155: Processing in the Employment Context

Individual EU countries can have specific laws and rules about processing the personal data of employees in an employment context.

Recital 156: Processing for Archiving, Scientific or Historical Research or Statistical Purposes

Individual EU countries should set rules on safeguarding personal data when it is processed for the following reasons:

• Archiving purposes in the public interest
• Scientific or historical research purposes
• Statistical purposes

These rules could involve specific procedures for data subjects to exercise their rights on data processing.

Recital 157: Information from Registries and Scientific Research

Bringing together information from multiple registries can make medical and social science research much more effective. To this end, the GDPR allows for personal data to be processed for scientific research, subject to any other EU or national laws.

Recital 158: Processing for Archiving Purposes

The GDPR covers personal data (about living people) being processed for archiving purposes. Public bodies should be allowed to do such processing if they have a legal obligation to do so in the public interest.

Individual EU countries can make rules allowing other cases of processing for archiving purposes, for example archives covering totalitarian regimes, genocide and war crimes.

Recital 159: Processing for Scientific Research Purposes

The GDPR covers personal data processed for science research, which should be defined broadly and take into account the EU's objective of a European Research Area.

Scientific research data processing may need special rules, and data subjects may need extra protection with health data.

Recital 160: Processing for Historical Research Purposes

The GDPR covers personal data (about living people) processed for historical research and genealogy.

Recital 161: Consenting to the Participation in Clinical Trials

EU regulation 536/2014, which covers consent for clinical trials, still applies with the GDPR.

Recital 162: Processing for Statistical Purposes

The GDPR covers personal data processed for statistical purposes. EU and national law should set out exactly what does and doesn't come under this category.

In principle, it means data handling needed for statistical surveys or to produce statistical results.

These results should be aggregate rather than personal data, and shouldn't affect decisions regarding individuals.

Recital 163: Production of European

Confidential data collected for official European or national statistics should be protected. This activity should follow both Article 338(2) of the Treaty on the Functioning of the European Union and Regulation 223/2009.

Recital 164: Professional or other Equivalent Secrecy Obligations

Individual EU countries can make rules for exceptions to the GDPR to reflect professional secrecy obligations. These rules must balance the secrecy obligation with personal data rights, though this doesn't override any EU laws requiring secrecy obligations.

Recital 165: No Prejudice of the Status of Churches and Religious Associations

The GDPR doesn't affect the status of churches and other religious groups under a country's constitutional law.

Recital 166: Delegated Acts of the Commission

The European Commission has the power to adopt acts to fulfil the aims of the GDPR. These could include rules for certification mechanisms and standardised icons.

The Commission must consult appropriately when developing such acts and keep the European Parliament and Council informed.

Recital 167: Implementing Powers of the commission

The European Commission should have implementing powers under the GDPR, in line with EU regulation 182/2011. In particular, the Commission should consider specific measures for different-sized businesses.

Recital 168: Implementing Acts on Standard Contractual Clauses

In some cases, EU countries will need to use the examination procedure, which oversees how the European Commission uses implementing powers.

Examples include implementing acts on:

• Standard contractual clauses between controllers and processors
• Codes of conduct
• Certification programs
• Data protection in non-EU countries and international organizations
• Binding corporate rules

Recital 169: Immediately Applicable Implementing Acts

The Commission should immediately adopt an implementing act if it needs to confirm that a non-EU country of international organization doesn't offer a level of data protection compatible with the GDPR.

Recital 170: Principle of Subsidiarity and Principle of Proportionality

The GDPR is made under two EU principles.

The principle of subsidiarity means the GDPR includes necessary measures that individual countries couldn't effectively do themselves.

The principle of proportionality means the GDPR should take measures beyond what's necessary to meet its objectives (free flow of personal data but with protection for individuals).

Recital 171: Repeal of Directive 95/46/EC and Transitional Provisions

The GDPR needed to repeal the previous directive 95/46/EC. Any processing underway when the GDPR comes into force had to meet the new rules in full within two years.

If data controllers or processors already had consent under directive 95/46/EC that was compatible with the GDPR, they didn't need fresh consent.

Any European Commission decisions based on 95/46/EC remained in force until they were amended, repealed or replaced.

Recital 172: Consultation of European Data Protection Supervisor

The existing regulation 45/2001 says the European Commission has to consult with the European Data Protection Supervisor whenever it adopts a legislative proposal about personal data rights and freedoms. This happened with the GDPR.

Recital 173: Relationship to Directive 2002/58/EC

Directive 2002/58/EC already covered some rules on data protection. To avoid any confusion with the GDPR's measures, this Directive had to be amended where necessary and then reviewed after the GDPR took effect.