General Data Protection Regulation
Table of Contents
Principles relating to processing of personal data
Lawfulness of processing
Conditions for consent
Conditions applicable to child's consent in relation to information society services
Processing of special categories of personal data
Processing of personal data relating to criminal convictions and offences
Processing which does not require identification
Rights of the data subject
Transparency and modalities
Information and access to personal data
Rectification and erasure
Right to object and automated individual decision-making
Controller and processor
Responsibility of the controller
Data protection by design and by default
Representatives of controllers or processors not established in the Union
Processing under the authority of the controller or processor
Records of processing activities
Cooperation with the supervisory authority
Security of personal data
Data protection impact assessment and prior consultation
Data protection officer
Codes of conduct and certification
Transfers of personal data to third countries or international organisations
General principle for transfers
Transfers on the basis of an adequacy decision
Transfers subject to appropriate safeguards
Binding corporate rules
Transfers or disclosures not authorised by Union law
Derogations for specific situations
International cooperation for the protection of personal data
Independent supervisory authorities
Competence, tasks and powers
Cooperation and consistency
European data protection board
Remedies, liability and penalties
Right to lodge a complaint with a supervisory authority
Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a controller or processor
Representation of data subjects
Suspension of proceedings
Right to compensation and liability
General conditions for imposing administrative fines
Provisions relating to specific processing situations
Processing and freedom of expression and information
Processing and public access to official documents
Processing of the national identification number
Processing in the context of employment
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Obligations of secrecy
Existing data protection rules of churches and religious associations
Delegated acts and implementing acts
Official GDPR Summary
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
a systematic monitoring of a publicly accessible area on a large scale.
The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.
The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.
Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
The assessment shall contain at least:
a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.