General Data Protection Regulation
Table of Contents
Principles relating to processing of personal data
Lawfulness of processing
Conditions for consent
Conditions applicable to child's consent in relation to information society services
Processing of special categories of personal data
Processing of personal data relating to criminal convictions and offences
Processing which does not require identification
Rights of the data subject
Transparency and modalities
Information and access to personal data
Rectification and erasure
Right to object and automated individual decision-making
Controller and processor
Responsibility of the controller
Data protection by design and by default
Representatives of controllers or processors not established in the Union
Processing under the authority of the controller or processor
Records of processing activities
Cooperation with the supervisory authority
Security of personal data
Data protection impact assessment and prior consultation
Data protection officer
Codes of conduct and certification
Transfers of personal data to third countries or international organisations
General principle for transfers
Transfers on the basis of an adequacy decision
Transfers subject to appropriate safeguards
Binding corporate rules
Transfers or disclosures not authorised by Union law
Derogations for specific situations
International cooperation for the protection of personal data
Independent supervisory authorities
Competence, tasks and powers
Cooperation and consistency
European data protection board
Remedies, liability and penalties
Right to lodge a complaint with a supervisory authority
Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a controller or processor
Representation of data subjects
Suspension of proceedings
Right to compensation and liability
General conditions for imposing administrative fines
Provisions relating to specific processing situations
Processing and freedom of expression and information
Processing and public access to official documents
Processing of the national identification number
Processing in the context of employment
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Obligations of secrecy
Existing data protection rules of churches and religious associations
Delegated acts and implementing acts
Official GDPR Summary
The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
The certification shall be voluntary and available via a process that is transparent.
A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.
The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.