1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111. 112. 113. 114. 115. 116. 117. 118. 119. 120. 121. 122. 123. 124. 125. 126. 127. 128. 129. 130. 131. 132. 133. 134. 135. 136. 137. 138. 139. 140. 141. 142. 143. 144. 145. 146. 147. 148. 149. 150. 151. 152. 153. 154. 155. 156. 157. 158. 159. 160. 161. 162. 163. 164. 165. 166. 167. 168. 169. 170. 171. 172. 173.
Article 5 - Principles relating to processing of personal dataArticle 6 - Lawfulness of processingArticle 7 - Conditions for consentArticle 8 - Conditions applicable to child's consent in relation to information society servicesArticle 9 - Processing of special categories of personal dataArticle 10 - Processing of personal data relating to criminal convictions and offencesArticle 11 - Processing which does not require identification
Section 1 - Transparency and modalities
Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subjectSection 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are collected from the data subjectArticle 14 - Information to be provided where personal data have not been obtained from the data subjectArticle 15 - Right of access by the data subjectSection 3 - Rectification and erasure
Article 16 - Right to rectificationArticle 17 - Right to erasure (‘right to be forgotten’)Article 18 - Right to restriction of processingArticle 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processingArticle 20 - Right to data portabilitySection 4 - Right to object and automated individual decision-making
Article 21 - Right to objectArticle 22 - Automated individual decision-making, including profilingSection 5 - Restrictions
Article 23 - RestrictionsSection 1 - General obligations
Article 24 - Responsibility of the controllerArticle 25 - Data protection by design and by defaultArticle 26 - Joint controllersArticle 27 - Representatives of controllers or processors not established in the UnionArticle 28 - ProcessorArticle 29 - Processing under the authority of the controller or processorArticle 30 - Records of processing activitiesArticle 31 - Cooperation with the supervisory authoritySection 2 - Security of personal data
Article 32 - Security of processingArticle 33 - Notification of a personal data breach to the supervisory authorityArticle 34 - Communication of a personal data breach to the data subjectSection 3 - Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessmentArticle 36 - Prior consultationSection 4 - Dat a protection officer
Article 37 - Designation of the data protection officerArticle 38 - Position of the data protection officerArticle 39 - Tasks of the data protection officerSection 5 - Codes of conduct and certification
Article 40 - Codes of conductArticle 41 - Monitoring of approved codes of conductArticle 42 - CertificationArticle 43 - Certification bodiesArticle 44 - General principle for transfersArticle 45 - Transfers on the basis of an adequacy decisionArticle 46 - Transfers subject to appropriate safeguardsArticle 47 - Binding corporate rulesArticle 48 - Transfers or disclosures not authorised by Union lawArticle 49 - Derogations for specific situationsArticle 50 - International cooperation for the protection of personal data
Section 1 - Independent status
Article 51 - Supervisory authorityArticle 52 - IndependenceArticle 53 - General conditions for the members of the supervisory authorityArticle 54 - Rules on the establishment of the supervisory authoritySection 2 - Competence, tasks and powers
Article 55 - CompetenceArticle 56 - Competence of the lead supervisory authorityArticle 57 - TasksArticle 58 - PowersArticle 59 - Activity reportsSection 1 - Cooperation
Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concernedArticle 61 - Mutual assistanceArticle 62 - Joint operations of supervisory authoritiesSection 2 - Consistency
Article 63 - Consistency mechanismArticle 64 - Opinion of the BoardArticle 65 - Dispute resolution by the BoardArticle 66 - Urgency procedureArticle 67 - Exchange of informationSection 3 - European data protection board
Article 68 - European Data Protection BoardArticle 69 - IndependenceArticle 70 - Tasks of the BoardArticle 71 - ReportsArticle 72 - ProcedureArticle 73 - ChairArticle 74 - Tasks of the ChairArticle 75 - SecretariatArticle 76 - ConfidentialityArticle 77 - Right to lodge a complaint with a supervisory authorityArticle 78 - Right to an effective judicial remedy against a supervisory authorityArticle 79 - Right to an effective judicial remedy against a controller or processorArticle 80 - Representation of data subjectsArticle 81 - Suspension of proceedingsArticle 82 - Right to compensation and liabilityArticle 83 - General conditions for imposing administrative finesArticle 84 - Penalties
Article 85 - Processing and freedom of expression and informationArticle 86 - Processing and public access to official documentsArticle 87 - Processing of the national identification numberArticle 88 - Processing in the context of employmentArticle 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposesArticle 90 - Obligations of secrecyArticle 91 - Existing data protection rules of churches and religious associations
Article 30
Records of processing activities
1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
(b) the categories of processing carried out on behalf of each controller;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.