The General Data Protection Regulation (GDPR) regulates the processing of European citizens’ personal data. It applies to organizations both inside and outside the European Union (EU) that process personal data of EU citizens. The regulation goes into effect on May 25, 2018, after which supervisory authorities can impose steep fines of up to $20 million or four percent of annual turnover.

The following reference guide provides a one-sentence summary of each of the 99 articles in the regulation. To read a summary of the most relevant parts of the GDPR for BI and analytics managers, click here.

Further reading:

To read the actual GDPR, click here.

For an in-depth look at the GDPR with detailed commentary, click here.

To learn about the context and history of data protection laws and what’s actually new in the GDPR, click here.

CHAPTER 1 GENERAL PROVISIONS – This chapter discusses the aim of the Regulation, the scope of the Regulation (where it applies and who it applies to), and essential definitions.

•  Article 1:Subject-matter and objectives –– This Regulation contains rules on processing personal data and the free movement of personal data to protect the fundamental rights and freedoms of natural persons and their right to protection of personal data
• Article 2: Material Scope –– This Regulation applies to the processing of personal data which form part of a filing system.
• Article 3: Territorial Scope –– This Regulation applies to controllers and processors in the Union and controllers or processors not in the Union if they process personal data of data subjects who live in the Union.
• Article 4: Definitions –– This Article contains 26 essential definitions.

CHAPTER 2 PRINCIPLES – This chapter outlines the rules for processing and protecting personal data.

• Article 5: Principles relating to processing of personal data –– Personal data shall be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; etc.
• Article 6: Lawfulness of processing –– There are six reasons that make processing lawful if at least one is true (e.g. data subject has given consent, processing is necessary for the performance of a contract, etc).
• Article 7: Conditions for Consent –– When processing is based on consent, whoever controls the personal data must prove consent to the processing, and the data subject can withdraw consent at any time.
• Article 8: Conditions applicable to child’s consent in relation to information societal services –– Information society services can process personal data of a child if the child is over 16. If the child is under 16, the legal guardian must consent.
• Article 9: Processing special categories of personal data –– Processing personal data revealing race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation is prohibited unless the subject gives explicit consent, it’s necessary to carry out the obligations of the controller, it’s necessary to protect the vital interests of the data subject, etc.
• Article 10: Processing personal data related to criminal convictions and offenses –– Processing personal data related to criminal convictions can only be carried out by an official authority or when Union or Member State law authorizes the processing.
• Article 11: Processing which does not require identification –– The controller does not need to get or process additional information to identify the data subject if the purpose for which the controller processes data does not require the identification of a data subject.

CHAPTER 3 RIGHTS OF THE DATA SUBJECT – This chapter discusses the rights of the data subject, including the right to be forgotten, right to rectification, and right to restriction of processing.

• Section 1 = Transparency and modalities
• Article 12: Transparent information, communications, and modalities for the exercise of the rights of the data subject –– When necessary, the controller must provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and the controller needs to provide information on action taken on request by and to the data subject within one month.

Section 2 = Information and access to personal data

• Article 13: Information to be provided where personal data are collected from the data subject –– When personal data is collected from the data subject, certain information needs to be provided to the data subject.
• Article 14: Information to provide to the data subject when personal data has not been obtained from data subject –– When personal data is not obtained from the data subject, the controller has to provide the data subject with certain information.
• Article 15: Right of access by the data subject –– The data subject has a right to know whether their personal data is being processed, what data is being processed, etc.

Section 3 = Rectification and Erasure

• Article 16: Right to rectification –– The data subject can require the controller to rectify any inaccurate information immediately.
• Article 17: Right to be forgotten –– In some cases, the data subject has the right to make the controller erase all personal data, with some exceptions.
• Article 18: Right to restriction of processing –– In some cases, the data subject can restrict the controller from processing.
• Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing –– The controller has to notify recipients of personal data if that data is rectified or erased.
• Article 20: Right to data portability –– The data subject can request to receive their personal data and give it to another controller or have the current controller give it directly to another controller.

Section 4 = Right to Object and Automated Individual decision-making

• Article 21: Right to Object –– Data subjects have the right to object to data processing on the grounds of his or her personal situation.
• Article 22: Automated individual decision-making, including profiling –– Data subjects have the right not to be subjected to automated individual decision-making, including profiling.

Section 5 = Restrictions

• Article 23: Restrictions –– Union or Member State law can restrict the rights in Articles 12 through 22 through a legislative measure.

CHAPTER 4 CONTROLLER AND PROCESSOR – This chapter covers the general obligations and necessary security measures of data controllers and processors, as well as data protection impact assessments, the role of the data protection officer, codes of conduct, and certifications.

Section 1 = General Obligations

• Article 24: Responsibility of the Controller –– The controller has to ensure that processing is in accordance with this Regulation.
• Article 25: Data protection by design and by default –– Controllers must implement data protection principles in an effective manner and integrate necessary safeguards to protect rights of data subjects.
• Article 26: Joint Controllers –– When there are two or more controllers they have to determine their respective responsibilities for compliance.
• Article 27: Representatives of controllers or processors not established in the Union –– When the controller and processor are not in the Union, in most cases they have to establish a representative in the Union.
• Article 28: Processor –– When processing is carried out on behalf of a controller, the controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organizational measures that will meet GDPR requirements.
• Article 29: Processing under the authority of the controller or processor –– Processors can only process data when instructed by the controller.
• Article 30: Records of Processing Activities –– Each controller or their representatives needs to maintain a record of processing activities and all categories of processing activities.
• Article 31: Cooperation with the supervisory authority –– The controller and processor have to cooperate with supervisory authorities.

 Section 2 = Security of personal data

• Article 32: Security of processing –– The controller and processor must ensure a level of security appropriate to the risk.
• Article 33: Notification of a personal data breach to the supervisory authority –– In the case of a breach, the controller has to notify the supervisory authority within 72 hours, unless the breach is unlikely to result in risk to people. And the processor needs to notify the controller immediately.
• Article 34: Communication of a personal data breach to the data subject –– When a breach is likely to cause risk to people, the controller has to notify data subjects immediately.

Section 3 = Data protection impact assessment and prior consultation

• Article 35: Data protection impact assessment –– When a type of processing, especially with new technologies, is likely to result in a high risk for people, an assessment of the impact of the processing needs to be done.
• Article 36: Prior consultation –– The controller needs to consult the supervisory authority when an impact assessment suggests there will be high risk if further action is not taken. The supervisory authority must provide advice within eight weeks of receiving the request for consultation.

Section 4 = Data protection officer

• Article 37: Designation of the data protection officer –– The controller and processor must designate a data protection officer (DPO) if processing is carried out by a public authority, processing operations require the systematic monitoring of data subjects, or core activities of the controller or processor consist of processing personal data relating to criminal convictions or on a large scale of special categories of data pursuant to Article 9.
• Article 38: Position of the data protection officer –– The DPO must be involved in all issues which relate to the protection of personal data. The controller and processor must provide all necessary support for the DPO to do their tasks and not provide instruction regarding those tasks.
• Article 39: Tasks of the data protection officer –– The DPO must inform and advise the controller and processor and their employees of their obligations, monitor compliance, provide advice, cooperate with the supervisory authority, and act as the contact point for the supervisory authority.

Section 5 = Codes of conduct and certification

• Article 40: Codes of conduct –– Member States, the supervisory authorities, the Board, and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR.
• Article 41: Monitoring of approved codes of conduct –– A body with adequate expertise in the subject-matter and is accredited to do so by the supervisory authority can monitor compliance with a code of conduct.
• Article 42: Certification –– Member States, the supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms to demonstrate compliance.
• Article 43: Certification bodies –– Certification bodies accredited by Member States can issue and renew certifications.

CHAPTER 5 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS – This chapter provides the rules for transferring personal data that is undergoing or will undergo processing outside of the Union.

• Article 44: General principle for transfers –– Controllers and processors can only transfer personal data if they comply with the conditions in this chapter.
• Article 45: Transfers on the basis of an adequacy decision –– A transfer of personal data to a third country or international organization can occur if the Commission has decided the country or organization can ensure an adequate level of protection.
• Article 46: Transfers subject to appropriate safeguards –– If the Commission has decided it can’t ensure an adequate level of protection, a controller or processor can transfer personal data to a third country or organization if it has provided appropriate safeguards.
• Article 47: Binding Corporate rules –– The supervisory authority will approve binding corporate rules in accordance with the consistency mechanism in Article 63.
• Article 48: Transfers or disclosures not authorized by Union law –– Any decision by a court or administrative authority in a third country to transfer or disclose personal data is only enforceable if the decision is based on an international agreement.
• Article 49: Derogations for specific situations –– If there is no adequacy decision (Article 45) or appropriate safegaurds, a transfer of personal data to a third country or organization can only happen if one of seven certain conditions are met.
• Article 50: International cooperation for the protection of personal data –– The Commission and supervisory authority have to do their best to further cooperation with third countries and international organizations.

CHAPTER 6 INDEPENDENT SUPERVISORY AUTHORITY – This chapter requires that each Member State have a competent supervisory authority with certain tasks and powers.

Section 1 = Independent status

• Article 51: Supervisory authority –– Each Member state has to supply at least one independent public authority to enforce this regulation.
• Article 52: Independence –– Each supervisory authority has to act with complete independence, and its members have to remain free from external influence.
• Article 53: General conditions for the members of the supervisory authority –– Member states need to appoint members of the supervisory authority in a transparent way, and each member must be qualified.
• Article 54: Rules on the establishment of the supervisory authority –– Each Member State needs to provide, in law, the establishment of each supervisory authority, qualifications for members, rules for appointment, etc.

Section 2 = Competence, tasks, and powers

• Article 55: Competence –– Each supervisory authority must be competent to perform the tasks in this Regulation.
• Article 56: Competence of the lead supervisory authority –– The supervisory authority of a controller or processor that is doing cross-border processing will be the lead supervisory authority.
• Article 57: Tasks –– In its territory, each supervisory authority will monitor and enforce this Regulation, promote public awareness, advise the national government, provide information to data subjects, etc.
• Article 58: Powers –– Each supervisory will have investigative, corrective, authorization, and advisory powers.
• Article 59: Activity Reports –– Each supervisory authority must write an annual report on its activities.

CHAPTER 7 COOPERATION AND CONSISTENCY – This chapter outlines how supervisory authorities will cooperate with each other and ways they can remain consistent when applying this Regulation and defines the European Data Protection Board and its purpose.

Section 1 = Cooperation

• Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned –– The lead supervisory authority will cooperate with other supervisory authorities to attain information, mutual assistance, communicate relevant information, etc.
• Article 61: Mutual assistance –– Supervisory authorities must provide each other with relevant information and mutual assistance in order to implement and apply this regulation.
• Article 62: Joint operations of supervisory authorities –– Where appropriate, supervisory authorities will conduct joint operations.

Section 2 = Consistency

• Article 63: Consistency mechanism –– For consistent application of this Regulation, supervisory authorities will cooperate with each other and the Commission through the consistency mechanism in this section.
• Article 64: Opinion of the Board –– If a supervisory authority adopts any new measures, the Board will issue an opinion on it.
• Article 65: Dispute resolution by the Board –– The Board has the power to resolve disputes between supervisory authorities.
• Article 66: Urgency Procedure –– If there is an urgent need to act to protect data subjects, a supervisory authority may adopt provisional measures for legal effects that do not exceed three months.
• Article 67: Exchange of information –– The Commission may adopt implementing acts in order to specify the arrangements for the exchange of information between supervisory authorities.

Section 3 = European data protection board

• Article 68: European Data Protection Board –– The Board is composed of the head of one supervisory authority from each Member state.
• Article 69: Independence –– The Board must act independently when performing its tasks or exercising its powers.
• Article 70: Tasks of the Board –– The Board needs to monitor and ensure correct application of this Regulation, advise the Commission, issue guidelines, recommendations, and best practices, etc.
• Article 71: Reports –– The Board will write an annual public report on the protection of natural persons with regard to processing.
• Article 72: Procedure –– The Board will consider decisions by a majority vote and adopt decisions by a two-thirds majority.
• Article 73: Chair –– The Board elects a chair and two deputy chairs by a majority vote. Terms are five years and are renewable once.
• Article 74: Tasks of the chair –– The Chair is responsible for setting up Board meetings, notifying supervisory authorities of Board decisions, and makes sure Board tasks are performed on time.
• Article 75: Secretariat –– The European Data Protection Supervisor will appoint a secretariat that exclusively performs tasks under the instruction of the Chair of the Board, mainly to provide analytical, administrative, and logistical support to the Board.
• Article 76: Confidentiality –– Board discussions are confidential.

CHAPTER 8 REMEDIES, LIABILITY, AND PENALTIES – This chapter covers the rights of data subjects to judicial remedies and the penalties for controllers and processors.

• Article 77: Right to lodge a complaint with a supervisory authority –– Every data subject has the right to lodge a complaint with a supervisory authority.
• Article 78: Right to an effective judicial remedy against a supervisory authority –– Each natural or legal person has the right to a judicial remedy against a decision of a supervisory authority.
• Article 79: Right to an effective judicial remedy against a controller or processor –– Each data subject has the right to a judicial remedy if the person considers his or her rights have been infringed on as a result of non-compliance processing.
• Article 80: Representation of data subjects –– Data subjects have the right to have an organization lodge a complaint on his or her behalf.
• Article 81: Suspension of proceedings –– Any court in a Member State that realizes proceedings for the same subject that is already occurring in another Member State can suspend its proceedings.
• Article 82: Right to compensation and liability –– Any person who has suffered damage from infringement of this Regulation has the right to receive compensation from the controller or processor or both.
• Article 83: General conditions for imposing administrative fines –– Each supervisory authority shall ensure that fines are effective, proportionate, and dissuasive. For infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to $10,000,000 or two percent global annual turnover. For infringements of Articles 5, 6, 7, 9, 12, 22, 44 to 49, and 58 fines can be up to $20,000,000 or four percent of global annual turnover.
• Article 84: Penalties –– Member States can make additional penalties for infringements.

CHAPTER 9 PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS – This chapter covers some exceptions to the Regulation and enables Member States to create their own specific rules.

• Article 85: Processing and freedom of expression and information –– Member States have to reconcile the protection of personal data and the right to freedom of expression and information (for journalistic, artistic, academic, and literary purposes).
• Article 86: Processing and public access to official documents –– Personal data in official documents for tasks carried out in the public interest may be disclosed for public access in accordance with Union or Member State.
• Article 87: Processing of the national identification number –– Member States can determine the conditions for processing national identification numbers or any other identifier.
• Article 88: Processing in the context of employment –– Member States can provide more specific rules for processing employees’ personal data.
• Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes –– Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is subject to appropriate safeguards (data minimization and pseudonymization).
• Article 90: Obligations of secrecy –– Member States can adopt specific rules for the powers of the supervisory authorities regarding controllers’ and processors’ obligation to secrecy.
• Article 91: Existing data protection rules of churches and religious associations –– Churches and religious associations or communities that lay down their own rules for processing in order to protect natural persons can continue to use those rules as long as they are in line with this Regulation.

CHAPTER 10 DELEGATED ACTS AND IMPLEMENTING ACTS

• Article 92: Exercise of the delegation –– The Commission has the power to adopt delegated acts. Delegation of power can be revoked at any time by the European Parliament or the Council.
• Article 93: Committee procedure –– The Commission will be assisted by a committee.

CHAPTER 11 FINAL PROVISIONS  - This chapter explains the relationship with this Regulation to past Directives and Agreements on the same subject matter, requires the Commission to submit a report every four years, and enables the commission to submit legislative proposals.

•  Article 94: Repeal of directive 95/46/EC –– 1995 Directive 95/46/EC is repealed (The old personal data processing law).
• Article 95: Relationship with Directive 2002/58/EC –– This Regulation does not add obligations for natural or legal persons that are already set out in Directive 2002/58/EC (has to do with the processing of personal data and the protection of privacy in the electronic communications sector).
• Article 96: Relationship with previously concluded Agreements –– International agreements involving the transfer of data to third countries or organizations that were setup before 24 May 2016 will stay in effect.
• Article 97: Commission reports –– Every four years the Commission will submit a report on this Regulation to the European Parliament and to the Council.
• Article 98: Review of other Union legal acts on data protection –– The Commission can submit legislative proposals to amend other Union legal acts on the protection of personal data.
• Article 99: Entry into force and application –– The Regulation applies from 25 May 2018.