1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111. 112. 113. 114. 115. 116. 117. 118. 119. 120. 121. 122. 123. 124. 125. 126. 127. 128. 129. 130. 131. 132. 133. 134. 135. 136. 137. 138. 139. 140. 141. 142. 143. 144. 145. 146. 147. 148. 149. 150. 151. 152. 153. 154. 155. 156. 157. 158. 159. 160. 161. 162. 163. 164. 165. 166. 167. 168. 169. 170. 171. 172. 173.
Article 5 - Principles relating to processing of personal dataArticle 6 - Lawfulness of processingArticle 7 - Conditions for consentArticle 8 - Conditions applicable to child's consent in relation to information society servicesArticle 9 - Processing of special categories of personal dataArticle 10 - Processing of personal data relating to criminal convictions and offencesArticle 11 - Processing which does not require identification
Section 1 - Transparency and modalities
Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subjectSection 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are collected from the data subjectArticle 14 - Information to be provided where personal data have not been obtained from the data subjectArticle 15 - Right of access by the data subjectSection 3 - Rectification and erasure
Article 16 - Right to rectificationArticle 17 - Right to erasure (‘right to be forgotten’)Article 18 - Right to restriction of processingArticle 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processingArticle 20 - Right to data portabilitySection 4 - Right to object and automated individual decision-making
Article 21 - Right to objectArticle 22 - Automated individual decision-making, including profilingSection 5 - Restrictions
Article 23 - RestrictionsSection 1 - General obligations
Article 24 - Responsibility of the controllerArticle 25 - Data protection by design and by defaultArticle 26 - Joint controllersArticle 27 - Representatives of controllers or processors not established in the UnionArticle 28 - ProcessorArticle 29 - Processing under the authority of the controller or processorArticle 30 - Records of processing activitiesArticle 31 - Cooperation with the supervisory authoritySection 2 - Security of personal data
Article 32 - Security of processingArticle 33 - Notification of a personal data breach to the supervisory authorityArticle 34 - Communication of a personal data breach to the data subjectSection 3 - Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessmentArticle 36 - Prior consultationSection 4 - Dat a protection officer
Article 37 - Designation of the data protection officerArticle 38 - Position of the data protection officerArticle 39 - Tasks of the data protection officerSection 5 - Codes of conduct and certification
Article 40 - Codes of conductArticle 41 - Monitoring of approved codes of conductArticle 42 - CertificationArticle 43 - Certification bodiesArticle 44 - General principle for transfersArticle 45 - Transfers on the basis of an adequacy decisionArticle 46 - Transfers subject to appropriate safeguardsArticle 47 - Binding corporate rulesArticle 48 - Transfers or disclosures not authorised by Union lawArticle 49 - Derogations for specific situationsArticle 50 - International cooperation for the protection of personal data
Section 1 - Independent status
Article 51 - Supervisory authorityArticle 52 - IndependenceArticle 53 - General conditions for the members of the supervisory authorityArticle 54 - Rules on the establishment of the supervisory authoritySection 2 - Competence, tasks and powers
Article 55 - CompetenceArticle 56 - Competence of the lead supervisory authorityArticle 57 - TasksArticle 58 - PowersArticle 59 - Activity reportsSection 1 - Cooperation
Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concernedArticle 61 - Mutual assistanceArticle 62 - Joint operations of supervisory authoritiesSection 2 - Consistency
Article 63 - Consistency mechanismArticle 64 - Opinion of the BoardArticle 65 - Dispute resolution by the BoardArticle 66 - Urgency procedureArticle 67 - Exchange of informationSection 3 - European data protection board
Article 68 - European Data Protection BoardArticle 69 - IndependenceArticle 70 - Tasks of the BoardArticle 71 - ReportsArticle 72 - ProcedureArticle 73 - ChairArticle 74 - Tasks of the ChairArticle 75 - SecretariatArticle 76 - ConfidentialityArticle 77 - Right to lodge a complaint with a supervisory authorityArticle 78 - Right to an effective judicial remedy against a supervisory authorityArticle 79 - Right to an effective judicial remedy against a controller or processorArticle 80 - Representation of data subjectsArticle 81 - Suspension of proceedingsArticle 82 - Right to compensation and liabilityArticle 83 - General conditions for imposing administrative finesArticle 84 - Penalties
Article 85 - Processing and freedom of expression and informationArticle 86 - Processing and public access to official documentsArticle 87 - Processing of the national identification numberArticle 88 - Processing in the context of employmentArticle 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposesArticle 90 - Obligations of secrecyArticle 91 - Existing data protection rules of churches and religious associations
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;
(b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;
(c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;
(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);
(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);
(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;
(l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);
(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);
(n) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;
(o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);
(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;
(q) provide the Commission with an opinion on the certification requirements referred to in Article 43(8);
(r) provide the Commission with an opinion on the icons referred to in Article 12(7);
(s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.
(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;
(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;
(v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;
(w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.
(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and
(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
