Chapter 1 : General provisions
- Article 1 : Subject-matter and objectives
- Article 2 : Material scope
- Article 3 : Territorial scope
- Article 4 : Definitions
Chapter 2 : Principles
- Article 5 : Principles relating to processing of personal data
- Article 6 : Lawfulness of processing
- Article 7 : Conditions for consent
- Article 8 : Conditions applicable to child's consent in relation to information society services
- Article 9 : Processing of special categories of personal data
- Article 10 : Processing of personal data relating to criminal convictions and offences
- Article 11 : Processing not allowing identification
Chapter 3 : Rights of the data subject
Section 1 : Transparency and modalities
Section 2 : Information and access to personal data
- Article 13 : Information to be provided where personal data are collected from the data subject
- Article 14 : Information to be provided where personal data have not been obtained from the data subject
- Article 15 : Right of access by the data subject
Section 3 : Rectification and erasure
- Article 16 : Right to rectification
- Article 17 : Right to erasure (‘right to be forgotten’)
- Article 18 : Right to restriction of processing
- Article 19 : Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 : Right to data portability
Section 4 : Right to object and automated individual decision-making
Section 5 : Restrictions
Chapter 4 : Controller and processor
Section 1 : General obligations
- Article 24 : Responsibility of the controller
- Article 25 : Data protection by design and by default
- Article 26 : Joint controllers
- Article 27 : Representatives of controllers not established in the Union
- Article 28 : Processor
- Article 29 : Processing under the authority of the controller or processor
- Article 30 : Records of processing activities
- Article 31 : Cooperation with the supervisory authority
Section 2 : Security of personal data
- Article 32 : Security of processing
- Article 33 : Notification of a personal data breach to the supervisory authority
- Article 34 : Communication of a personal data breach to the data subject
Section 3 :Data protection impact assessment and prior consultation
Section 4 : Data protection officer
- Article 37 : Designation of the data protection officer
- Article 38 : Position of the data protection officer
- Article 39 : Tasks of the data protection officer
Section 5 : Codes of conduct and certification
- Article 40 : Codes of conduct
- Article 41 : Monitoring of approved codes of conduct
- Article 42 : Certification
- Article 43 : Certification bodies
Chapter 5 : Transfers of personal data to third countries or international organisations
- Article 44 : General principle for transfers
- Article 45 : Transfers on the basis of an adequacy decision
- Article 46 : Transfers subject to appropriate safeguards
- Article 47 : Binding corporate rules
- Article 48 : Transfers or disclosures not authorised by Union law
- Article 49 : Derogations for specific situations
- Article 50 : International cooperation for the protection of personal data
Chapter 6 : Independent supervisory authorities
Section 1 : Independent status
- Article 51 : Supervisory authority
- Article 52 : Independence
- Article 53 : General conditions for the members of the supervisory authority
- Article 54 : Rules on the establishment of the supervisory authority
Section 2 : Competence, tasks and powers
- Article 55 : Competence
- Article 56 : Competence of the lead supervisory authority
- Article 57 : Tasks
- Article 58 : Powers
- Article 59 : Activity reports
Chapter 7 : Cooperation and consistency
Section 1 : Cooperation
- Article 60 : Cooperation between the lead supervisory authority and the other supervisory authorities concerned
- Article 61 : Mutual assistance
- Article 62 : Joint operations of supervisory authorities
Section 2 : Consistency
- Article 63 : Consistency mechanism
- Article 64 : Opinion of the Board
- Article 65 : Dispute resolution by the Board
- Article 66 : Urgency procedure
- Article 67 : Exchange of information
Section 3 : European data protection board
- Article 68 : European Data Protection Board
- Article 69 : Independence
- Article 70 : Tasks of the Board
- Article 71 : Reports
- Article 72 : Procedure
- Article 73 : Chair
- Article 74 : Tasks of the Chair
- Article 75 : Secretariat
- Article 76 : Confidentiality
Chapter 8 : Remedies, liability and penalties
- Article 77 : Right to lodge a complaint with a supervisory authority
- Article 78 : Right to an effective judicial remedy against a supervisory authority
- Article 79 : Right to an effective judicial remedy against a controller or processor
- Article 80 : Representation of data subjects
- Article 81 : Suspension of proceedings
- Article 82 : Right to compensation and liability
- Article 83 : General conditions for imposing administrative fines
- Article 84 : Penalties
Chapter 9 : Provisions relating to specific processing situations
- Article 85 : Processing and freedom of ex
pression and information - Article 86 : Processing and public access to official documents
- Article 87 : Processing of the national identification number
- Article 88 : Processing in the context of employment
- Article 89 : Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical resear
- Article 90 : Obligations of secrecy
- Article 91 : Existing data protection rules of churches and religious associations