GDPR Key Articles Reference

This reference covers the most important GDPR articles that practitioners need to understand. Articles are grouped by theme for easy navigation.

Scope and Definitions

Article 1 — Subject Matter and Objectives

GDPR protects fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. It establishes rules for the free movement of personal data within the EU.

Article 2 — Material Scope

GDPR applies to the processing of personal data wholly or partly by automated means, and to non-automated processing of personal data that forms part of a filing system.

Does NOT apply to:

• Purely personal or household activities
• Law enforcement processing (covered by the LED Directive)
• National security activities
• Processing by EU institutions (covered by separate regulation)

Article 3 — Territorial Scope

GDPR applies to:

1. Establishment in the EU — any controller or processor established in the EU, regardless of where processing takes place
2. Targeting EU individuals — controllers or processors outside the EU that offer goods/services to, or monitor the behaviour of, individuals in the EU

This is why GDPR has global reach.

Article 4 — Definitions

Key definitions every practitioner should know:

| Term | Definition | |---|---| | Personal data | Any information relating to an identified or identifiable natural person | | Processing | Any operation performed on personal data (collection, storage, use, erasure, etc.) | | Controller | Entity that determines the purposes and means of processing | | Processor | Entity that processes personal data on behalf of the controller | | Consent | Freely given, specific, informed, and unambiguous indication of wishes | | Personal data breach | Breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure/access | | Profiling | Automated processing to evaluate personal aspects of a natural person |

Principles and Lawfulness

Article 5 — Principles Relating to Processing

The seven foundational principles:

1. Lawfulness, fairness, and transparency — process legally, fairly, and transparently
2. Purpose limitation — collect for specified, explicit, legitimate purposes only
3. Data minimization — adequate, relevant, and limited to what is necessary
4. Accuracy — keep data accurate and up to date
5. Storage limitation — keep only as long as necessary
6. Integrity and confidentiality — ensure appropriate security
7. Accountability — controller must demonstrate compliance

These principles underpin every other GDPR requirement.

Article 6 — Lawfulness of Processing

Six legal bases for processing personal data:

1. Consent — data subject has given consent for specific purposes
2. Contract — necessary for contract performance or pre-contractual steps
3. Legal obligation — necessary for compliance with a legal obligation
4. Vital interests — necessary to protect someone's life
5. Public interest — necessary for a task in the public interest
6. Legitimate interests — necessary for legitimate interests of the controller (does not apply to public authorities)

Practical tip: Choose the most appropriate basis, not the easiest. Consent is not always the best choice — contract or legitimate interest may be more suitable and sustainable.

Article 7 — Conditions for Consent

When relying on consent:

• Controller must be able to demonstrate that consent was given
• Request must be presented in a clear, intelligible, and easily accessible form
• Data subject has the right to withdraw consent at any time
• Withdrawal must be as easy as giving consent
• Consent must be freely given — cannot be a condition of service unless necessary

Article 8 — Conditions for Children's Consent

• Consent for information society services valid from age 16 (member states can lower to 13)
• Below the age threshold, consent must be given or authorized by the holder of parental responsibility
• Controller must make reasonable efforts to verify parental consent

Article 9 — Processing of Special Categories of Data

Special categories (sensitive data) require extra protection:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation

Processing prohibited unless:

• Explicit consent given
• Employment or social security law
• Vital interests (data subject unable to consent)
• Legitimate activities of foundations, associations, or non-profits
• Data manifestly made public by the data subject
• Legal claims
• Substantial public interest
• Preventive or occupational medicine
• Public health
• Archiving, research, or statistics

Data Subject Rights

Article 12 — Transparent Communication

• Provide information in a concise, transparent, intelligible, and easily accessible form
• Use clear and plain language, especially for children
• Respond to requests within one month (extendable by two months for complex requests)
• Provide information free of charge (reasonable fee allowed for manifestly unfounded or excessive requests)

Article 13 — Information When Data Collected from Data Subject

When collecting directly from the individual, provide at the time of collection:

• Identity and contact details of the controller
• DPO contact details
• Purposes and legal basis
• Legitimate interests pursued (if applicable)
• Recipients or categories of recipients
• International transfer details
• Retention period or criteria
• All data subject rights
• Right to withdraw consent
• Right to complain to supervisory authority
• Whether provision is statutory/contractual/necessary for contract
• Automated decision-making details

Article 14 — Information When Data Not Obtained from Data Subject

When data comes from another source, provide the above plus:

• Categories of personal data concerned
• Source of the personal data
• Provide within a reasonable period (maximum one month), or at first communication, or before first disclosure to another recipient

Article 15 — Right of Access

Data subjects can obtain:

• Confirmation of whether their data is being processed
• A copy of their personal data
• Information about purposes, categories, recipients, retention, rights, source, and automated decision-making

Article 16 — Right to Rectification

Data subjects can request correction of inaccurate personal data and completion of incomplete data.

Article 17 — Right to Erasure ("Right to be Forgotten")

Data subjects can request deletion when:

• Data is no longer necessary for original purpose
• Consent is withdrawn (and no other legal basis exists)
• Data subject objects and no overriding legitimate grounds exist
• Data was unlawfully processed
• Required by legal obligation
• Data was collected in relation to information society services offered to a child

Exceptions: Freedom of expression, legal obligations, public health, archiving/research, legal claims

Article 18 — Right to Restriction of Processing

Data subjects can request restriction when:

• Accuracy is contested (during verification period)
• Processing is unlawful but data subject prefers restriction over erasure
• Controller no longer needs data but data subject needs it for legal claims
• Data subject has objected (pending verification of legitimate grounds)

Article 20 — Right to Data Portability

Data subjects can:

• Receive their data in a structured, commonly used, machine-readable format
• Transmit data to another controller without hindrance
• Request direct transmission between controllers where technically feasible

Applies only to data provided by the data subject and processed by automated means based on consent or contract.

Article 21 — Right to Object

Data subjects can object to processing based on:

• Legitimate interests — controller must stop unless compelling legitimate grounds
• Direct marketing — absolute right, must stop immediately
• Research or statistics — unless necessary for public interest

Article 22 — Automated Individual Decision-Making

Data subjects have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Exceptions:

• Necessary for contract
• Authorized by law
• Based on explicit consent

In all cases, the controller must implement suitable safeguards, including the right to obtain human intervention, express their point of view, and contest the decision.

Controller and Processor Obligations

Article 24 — Responsibility of the Controller

The controller must implement appropriate technical and organizational measures to ensure and demonstrate compliance. These measures must be reviewed and updated when necessary.

Article 25 — Data Protection by Design and by Default

• By design: Implement data protection principles from the earliest stage of development
• By default: Only process data that is necessary for each specific purpose (amount, extent, storage period, accessibility)

Article 26 — Joint Controllers

When two or more controllers jointly determine purposes and means:

• Must have a transparent arrangement defining responsibilities
• Must make the essence of the arrangement available to data subjects
• Data subjects can exercise rights against any joint controller

Article 27 — Representatives of Non-EU Controllers

Controllers or processors not established in the EU but subject to GDPR must designate a representative in the EU (with some exceptions).

Article 28 — Processor

• Controller must only use processors providing sufficient guarantees
• Processing must be governed by a contract or legal act (the DPA)
• Processor must not engage sub-processors without controller authorization
• DPA must include all required provisions (subject matter, duration, nature, purpose, data types, obligations)

Article 30 — Records of Processing Activities

• Controllers with 250+ employees must maintain written records (ROPA)
• Smaller controllers must also maintain records if processing is not occasional, involves special categories, or is likely to result in risk

Practical tip: Maintain a ROPA regardless of organization size. It's essential for demonstrating accountability.

Security and Breaches

Article 32 — Security of Processing

Implement appropriate measures considering:

• State of the art
• Cost of implementation
• Nature, scope, context, and purposes
• Risk to rights and freedoms

Measures include:

• Pseudonymization and encryption
• Ensuring ongoing confidentiality, integrity, availability, and resilience
• Ability to restore availability and access in a timely manner
• Regular testing, assessing, and evaluating effectiveness

Article 33 — Notification to Supervisory Authority

• Notify the supervisory authority within 72 hours of becoming aware of a breach
• Unless the breach is unlikely to result in risk to individuals' rights and freedoms
• Notification must include: nature of breach, DPO contact, likely consequences, measures taken or proposed
• If not possible within 72 hours, provide reasons for delay and information in phases

Article 34 — Communication to the Data Subject

• When a breach is likely to result in a high risk to rights and freedoms
• Communicate to the data subject without undue delay
• In clear and plain language
• Not required if: appropriate safeguards applied (e.g., encryption), subsequent measures taken that eliminate risk, or disproportionate effort (use public communication instead)

Article 35 — Data Protection Impact Assessment

DPIA required when processing is likely to result in high risk:

• Systematic and extensive profiling with significant effects
• Large-scale processing of special categories or criminal data
• Large-scale systematic monitoring of publicly accessible areas

DPIA must contain:

• Systematic description of processing and purposes
• Assessment of necessity and proportionality
• Assessment of risks to data subjects
• Measures to address risks, including safeguards and security measures

Article 36 — Prior Consultation

If the DPIA indicates high risk that cannot be mitigated, the controller must consult the supervisory authority before processing.

International Transfers

Article 44 — General Principle for Transfers

Any transfer of personal data to a third country may only take place if the conditions in Chapter V are complied with.

Article 45 — Adequacy Decisions

Transfer is permitted if the European Commission has decided the destination country ensures an adequate level of protection. Current adequacy decisions include: Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (EU-US Data Privacy Framework), and Uruguay.

Article 46 — Appropriate Safeguards

In the absence of an adequacy decision, transfers are permitted with appropriate safeguards:

• Standard Contractual Clauses (SCCs) adopted by the Commission
• Binding Corporate Rules (BCRs) approved by supervisory authority
• Approved codes of conduct with binding commitments
• Approved certification mechanisms with binding commitments

Article 49 — Derogations

In the absence of adequacy decisions or safeguards, transfers permitted if:

• Explicit consent after being informed of risks
• Necessary for contract performance
• Necessary for important reasons of public interest
• Necessary for legal claims
• Necessary to protect vital interests
• Transfer from a public register

These derogations are for occasional transfers only, not systematic or large-scale.

Enforcement

Article 77 — Right to Complain

Every data subject has the right to lodge a complaint with a supervisory authority.

Article 82 — Right to Compensation

Any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation from the controller or processor.

Article 83 — Fines

Lower tier (up to €10 million or 2% of annual global turnover):

• Controller/processor obligations (Articles 8, 11, 25-39, 42, 43)
• Certification body obligations (Articles 42, 43)
• Monitoring body obligations (Article 41)

Upper tier (up to €20 million or 4% of annual global turnover):

• Principles and lawfulness of processing (Articles 5, 6, 7, 9)
• Data subject rights (Articles 12-22)
• International transfers (Articles 44-49)
• Member state law obligations
• Non-compliance with supervisory authority orders

Next Steps

• GDPR Overview — Core concepts and principles
• Quick Start Guide — 30-day action plan
• Implementation Guide — Full compliance program
• Glossary — Key terms and definitions

This reference covers the most commonly referenced GDPR articles. For the full regulation text, refer to the official EU publication.