Skip to main content
Top Button

General Data Protection Regulation (GDPR)

Many organizations all over the world need to comply with the European Union (EU) General Data Protection Regulation (GDPR). The GDPR strengthens and expands the scope of existing European data protection law. Significantly, many organizations physically located outside of Europe must comply with the GDPR if they collect or otherwise process information about individuals in the European Economic Area. Failure to meet the GDPR requirements by May 25, 2018, may trigger steep administrative fines of up to €20 million or 4% of the organization’s global annual revenue, whichever is greater.
Ice Miller's Data Security and Privacy Practice assists organizations of all types and sizes—including large corporations, start-up companies, not-for-profits, mobile app developers, and educational institutions—with all aspects of GDPR compliance. As a resource to you, we are providing the full text of the GDPR below. For more information, contact Nick Merker, Stephen Reynolds or another member of the Data Security and Privacy Practice.


Chapter 1 (Art. 1 - 4) General Provisions

Art. 1 Subject-matter and objectives

Art. 2 Material scope

Art. 3 Territorial scope

Art. 4 Definitions

Chapter 2 (Art. 5 - 11) Principles

Art. 5 Principles relating to processing of personal data

Art. 6 Lawfulness of processing

Art. 7 Conditions for consent

Art. 8 Conditions applicable to child's consent in relation to information society services

Art. 9 Processing of special categories of personal data

Art. 10 Processing of personal data relating to criminal convictions and offences

Art. 11 Processing which does not require identification

Chapter 3 (Art. 12 - 23) Rights of the data subject

Art. 12 Transparent information, communication and modalities for the exercise of the rights of the data subject

Art. 13 Information to be provided where personal data are collected from the data subject

Art. 14 Information to be provided where personal data have not been collected from the data subject

Art. 15 Right of access by the data subject

Art. 16 Right to rectification

Art. 17 Right to erasure ("right to be forgotten")

Art. 18 Right to restriction of processing

Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Art. 20 Right to data portability

Art. 21 Right to object

Art. 22 Automated individual decision-making, including profiling

Art. 23 Restrictions

Chapter 4 (Art. 24 - 43) Controller and processor

Art. 24 Responsibility of the controller

Art. 25 Data protection by design and by default

Art. 26 Joint controllers

Art. 27 Representatives of controllers or processors not established in the Union

Art. 28 Processor

Art. 29 Processing under the authority of the controller or processor

Art. 30 Records of processing activities

Art. 31 Cooperation with the supervisory authority

Art. 32 Security of processing

Art. 33 Notification of a personal data breach to the supervisory authority

Art. 34 Communication of a personal data breach to the data subject

Art. 35 Data protection impact assessment

Art. 36 Prior consultation

Art. 37 Designation of the data protection officer

Art. 38 Position of the data protection officer

Art. 39 Tasks of the data protection officer

Art. 40 Codes of conduct

Art. 41 Monitoring of approved codes of conduct

Art. 42 Certification

Art. 43 Certification bodies

Chapter 5 (Art. 44 - 50) Transfers of personal data to third countries or internal organisations

Art. 44 General principles for transfers

Art. 45 Transfers on the basis of an adequacy decision

Art. 46 Transfers subject to appropriate safeguards

Art. 47 Binding corporate rules

Art. 48 Transfers or disclosures not authorised by Union law

Art. 49 Derogations for specific situations

Art. 50 International cooperation for the protection of personal data

Chapter 6 (Art. 51 - 59) Independent supervisory authorities

Art. 51 Supervisory authority

Art. 52 Independence

Art. 53 General conditions for the members of the supervisory authority

Art. 54 Rules on the establishment of the supervisory authority

Art. 55 Competence

Art. 56 Competence of the lead supervisory authority

Art. 57 Tasks

Art. 58 Powers

Art. 59 Activity Reports

Chapter 7 (Art. 60 - 76) Cooperation and consistency

Art. 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned

Art. 61 Mutual assistance

Art. 62 Joint operations of supervisory authorities

Art. 63 Consistency mechanism

Art. 64 Opinion of the Board

Art. 65 Dispute resolution by the Board

Art. 66 Urgency procedure

Art. 67 Exchange of information

Art. 68 European Data Protection Board

Art. 69 Independence

Art. 70 Tasks of the Board

Art. 71 Reports

Art. 72 Procedure

Art. 73 Chair

Art. 74 Tasks of the Chair

Art. 75 Secretariat

Art. 76 Confidentiality

Chapter 8 (Art. 77 - 84) Remedies, liability and penalties

Art. 77 Right to lodge a complaint with a supervisory authority

Art. 78 Right to an effective judicial remedy against a supervisory authority

Art. 79 Right to an effective judicial remedy against a controller or processor

Art. 80 Representation of data subjects

Art. 81 Suspension of proceedings

Art. 82 Right to compensation and liability

Art. 83 General conditions for imposing administrative fines

Art. 84 Penalties

Chapter 9 (Art. 85 - 91) Provisions relating to specific processing situations

Art. 85 Processing and freedom of expression and information

Art. 86 Processing and public access to official documents

Art. 87 Processing of the national identification number

Art. 88 Processing in the context of employment

Art. 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Art. 90 Obligations of secrecy

Art. 91 Existing data protection rules of churches and religious associations

Chapter 10 (Art. 92 - 93) Delegated acts and implementing acts

Art. 92 Exercise of the delegation

Art. 93 Committee procedure

Chapter 11 (Art. 94 - 99) Final provisions

Art. 94 Repeal of Directive 95/46/EC

Art. 95 Relationship with Directive 2002/58/EC

Art. 96 Relationship with previously concluded Agreements

Art. 97 Commission reports

Art. 98 Review of other Union legal acts on data protection

Art. 99 Entry into force and application



Ice Miller Contacts

Nick Merker
Nicholas R. Merker, Partner
Stephen Reynolds
Stephen Reynolds, Partner
View Full Site View Mobile Optimized