CHAPTER I - General provisions

Article 1 - Subject-matter and objectives  Recitals: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 

Article 2 - Material scope  Recitals: 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 

Article 3 - Territorial scope  Recitals: 22 | 23 | 24 | 25 

Article 4 - Definitions  Recitals: 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 

CHAPTER II - Principles

Article 5 - Principles relating to processing of personal data  Recitals: 39 

Article 6 - Lawfulness of processing  Recitals: 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 

Article 7 - Conditions for consent  Recitals: 32 | 33 | 42 | 43 

Article 8 - Conditions applicable to child's consent in relation to information society services  Recitals: 38 

Article 9 - Processing of special categories of personal data  Recitals: 51 | 52 | 53 | 54 | 55 | 56 

Article 10 - Processing of personal data relating to criminal convictions and offences

Article 11 - Processing which does not require identification  Recitals: 57 

CHAPTER III - Rights of the data subject

Section 1 - Transparency and modalities

Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject  Recitals: 58 | 59 

Section 2 - Information and access to personal data

Article 13 - Information to be provided where personal data are collected from the data subject  Recitals: 60 | 61 | 62 

Article 14 - Information to be provided where personal data have not been obtained from the data subject  Recitals: 60 | 61 | 62 

Article 15 - Right of access by the data subject  Recitals: 63 | 64 

Section 3 - Rectification and erasure

Article 16 - Right to rectification  Recitals: 65 

Article 17 - Right to erasure ["right to be forgotten"]  Recitals: 65 | 66 

Article 18 - Right to restriction of processing  Recitals: 67 

Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 20 - Right to data portability  Recitals: 68 

Section 4 - Right to object and automated individual decision-making

Article 21 - Right to object  Recitals: 69 | 70 

Article 22 - Automated individual decision-making, including profiling  Recitals: 71 | 72 

Section 5 - Restrictions

Article 23 - Restrictions  Recitals: 73 

CHAPTER IV - Controller and processor

Section 1 - General obligations

Article 24 - Responsibility of the controller  Recitals: 74 | 75 | 76 | 77 | 83 

Article 25 - Data protection by design and by default  Recitals: 78 

Article 26 - Joint controllers  Recitals: 79 

Article 27 - Representatives of controllers or processors not established in the Union  Recitals: 80 

Article 28 - Processor  Recitals: 81 

Article 29 - Processing under the authority of the controller or processor

Article 30 - Records of processing activities  Recitals: 13 | 39 | 82 

Article 31 - Cooperation with the supervisory authority

Section 2 - Security of personal data

Article 32 - Security of processing  Recitals: 74 | 75 | 76 | 77 | 83 

Article 33 - Notification of a personal data breach to the supervisory authority  Recitals: 75 | 85 | 87 | 88 

Article 34 - Communication of a personal data breach to the data subject  Recitals: 75 | 86 | 87 | 88 

Section 3 - Data protection impact assessment and prior consultation

Article 35 - Data protection impact assessment  Recitals: 75 | 84 | 89 | 90 | 91 | 92 | 93 

Article 36 - Prior consultation  Recitals: 94 | 95 | 96 

Section 4 - Data protection officer

Article 37 - Designation of the data protection officer  Recitals: 97 

Article 38 - Position of the data protection officer  Recitals: 97 

Article 39 - Tasks of the data protection officer  Recitals: 97 

Section 5 - Codes of conduct and certification

Article 40 - Codes of conduct  Recitals: 98 | 99 

Article 41 - Monitoring of approved codes of conduct

Article 42 - Certification  Recitals: 100 

Article 43 - Certification bodies

CHAPTER V - Transfers of personal data to third countries or international organisations

Article 44 - General principle for transfers  Recitals: 101 | 102 

Article 45 - Transfers on the basis of an adequacy decision  Recitals: 103 | 104 | 105 | 106 | 107 

Article 46 - Transfers subject to appropriate safeguards  Recitals: 108 | 109 

Article 47 - Binding corporate rules  Recitals: 110 

Article 48 - Transfers or disclosures not authorised by Union law

Article 49 - Derogations for specific situations  Recitals: 111 | 112 | 113 | 114 | 115 | 116 

Article 50 - International cooperation for the protection of personal data

CHAPTER VI - Independent supervisory authorities

Section 1 - Independent status

Article 51 - Supervisory authority  Recitals: 117 | 118 | 119 

Article 52 - Independence  Recitals: 118 | 120 

Article 53 - General conditions for the members of the supervisory authority  Recitals: 121 

Article 54 - Rules on the establishment of the supervisory authority

Section 2 - Competence, tasks and powers

Article 55 - Competence  Recitals: 122 

Article 56 - Competence of the lead supervisory authority  Recitals: 124 | 125 | 126 | 127 | 128 

Article 57 - Tasks  Recitals: 123 | 132 

Article 58 - Powers  Recitals: 129 

Article 59 - Activity reports

Section 1 - Cooperation

CHAPTER VII - Cooperation and consistency

Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned  Recitals: 124 | 125 | 126 | 127 | 128 | 130 | 131 

Article 61 - Mutual assistance  Recitals: 133 

Article 62 - Joint operations of supervisory authorities  Recitals: 134 

Section 2 - Consistency

Article 63 - Consistency mechanism  Recitals: 135 

Article 64 - Opinion of the Board  Recitals: 136 

Article 65 - Dispute resolution by the Board

Article 66 - Urgency procedure  Recitals: 137 | 138 

Article 67 - Exchange of information

Section 3 - European data protection board

Article 68 - European Data Protection Board  Recitals: 139 

Article 69 - Independence  Recitals: 139 

Article 70 - Tasks of the Board  Recitals: 139 

Article 71 - Reports

Article 72 - Procedure

Article 73 - Chair

Article 74 - Tasks of the Chair

Article 75 - Secretariat  Recitals: 140 

Article 76 - Confidentiality

CHAPTER VIII - Remedies, liability and penalties

Article 77 - Right to lodge a complaint with a supervisory authority  Recitals: 141 

Article 78 - Right to an effective judicial remedy against a supervisory authority  Recitals: 143 

Article 79 - Right to an effective judicial remedy against a controller or processor  Recitals: 145 

Article 80 - Representation of data subjects  Recitals: 142 

Article 81 - Suspension of proceedings  Recitals: 144 

Article 82 - Right to compensation and liability  Recitals: 146 | 147 

Article 83 - General conditions for imposing administrative fines  Recitals: 148 | 150 | 151 

Article 84 - Penalties  Recitals: 149 | 152 

CHAPTER IX - Provisions relating to specific processing situations

Article 85 - Processing and freedom of expression and information  Recitals: 153 

Article 86 - Processing and public access to official documents  Recitals: 154 

Article 87 - Processing of the national identification number

Article 88 - Processing in the context of employment  Recitals: 155 

Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes  Recitals: 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 

Article 90 - Obligations of secrecy  Recitals: 164 

Article 91 - Existing data protection rules of churches and religious associations  Recitals: 165 

CHAPTER X - Delegated acts and implementing acts

Article 92 - Exercise of the delegation  Recitals: 166 | 167 | 168 | 169 | 170 

Article 93 - Committee procedure

CHAPTER XI - Final provisions

Article 94 - Repeal of Directive 95/46/EC  Recitals: 171 

Article 95 - Relationship with Directive 2002/58/EC  Recitals: 173 

Article 96 - Relationship with previously concluded Agreements

Article 97 - Commission reports

Article 98 - Review of other Union legal acts on data protection

Article 99 - Entry into force and application