- Article 1 - Subject-matter and objectives
- Article 2 - Material scope
- Article 3 - Territorial scope
- Article 4 - Definitions
- Article 5 - Principles relating to processing of personal data
- Article 6 - Lawfulness of processing
- Article 7 - Conditions for consent
- Article 8 - Conditions applicable to child's consent in relation to information society services
- Article 9 - Processing of special categories of personal data
- Article 10 - Processing of personal data relating to criminal convictions and offences
- Article 11 - Processing which does not require identification
- Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 13 - Information to be provided where personal data are collected from the data subject
- Article 14 - Information to be provided where personal data have not been obtained from the data subject
- Article 15 - Right of access by the data subject
- Article 16 - Right to rectification
- Article 17 - Right to erasure (‘right to be forgotten’)
- Article 18 - Right to restriction of processing
- Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 - Right to data portability
- Article 21 - Right to object
- Article 22 - Automated individual decision-making, including profiling
- Article 23 - Restrictions
- Article 24 - Responsibility of the controller
- Article 25 - Data protection by design and by default
- Article 26 - Joint controllers
- Article 27 - Representatives of controllers or processors not established in the Union
- Article 28 - Processor
- Article 29 - Processing under the authority of the controller or processor
- Article 30 - Records of processing activities
- Article 31 - Cooperation with the supervisory authority
- Article 32 - Security of processing
- Article 33 - Notification of a personal data breach to the supervisory authority
- Article 34 - Communication of a personal data breach to the data subject
- Article 35 - Data protection impact assessment
- Article 36 - Prior consultation
- Article 37 - Designation of the data protection officer
- Article 38 - Position of the data protection officer
- Article 39 - Tasks of the data protection officer
- Article 40 - Codes of conduct
- Article 42 - Certification
- Article 44 - General principle for transfers
- Article 45 - Transfers on the basis of an adequacy decision
- Article 46 - Transfers subject to appropriate safeguards
- Article 47 - Binding corporate rules
- Article 48 - Transfers or disclosures not authorised by Union law
- Article 49 - Derogations for specific situations
- Article 82 - Right to compensation and liability
- Article 83 - General conditions for imposing administrative fines
- Article 87 - Processing of the national identification number
- Article 88 - Processing in the context of employment
- Article 99 - Entry into force and application