← All frameworks
EU EU · 8 Policy & Process · EU/EEA

GDPR (EU)

General Data Protection Regulation (EU) 2016/679

2016/679

99 controls · 11 domains
Mandatory for: EU law
Start assessment in platform →

About this framework

The General Data Protection Regulation is the EU's data protection law. It sets strict rules on how personal data is collected, stored, and used, gives individuals rights over their data, and carries heavy fines for breaches.

Who needs this

Applies to any organisation handling the personal data of people in the EU, wherever it is based.

Cross-framework coverage

Controls in GDPR (EU) also cover:

ADHICS 13 shared
UK GDPR 13 shared
CJIS 12 shared
CIS Controls 12 shared
ISO 27001 12 shared

See how GDPR (EU) connects to the rest → the Security Universe

Control domains

CH-I · General provisions 4
Art.1
Subject-matter and objectives
Art.2
Material scope
Art.3
Territorial scope
Art.4
Definitions
CH-II · Principles 7
Art.5
Principles relating to processing of personal data
CJISADHICSCIS ControlsISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
Art.6
Lawfulness of processing
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.7
Conditions for consent
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.8
Conditions applicable to child's consent in relation to information society services
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.9
Processing of special categories of personal data
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.10
Processing of personal data relating to criminal convictions and offences
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.11
Processing which does not require identification
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
CH-III · Rights of the data subject 12
Art.12
Transparent information, communication and modalities for the exercise of the rights of the data subject
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.13
Information to be provided where personal data are collected from the data subject
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.14
Information to be provided where personal data have not been obtained from the data subject
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.15
Right of access by the data subject
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.16
Right to rectification
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.17
Right to erasure (‘right to be forgotten’)
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.18
Right to restriction of processing
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.20
Right to data portability
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.21
Right to object
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.22
Automated individual decision-making, including profiling
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.23
Restrictions
CH-IV · Controller and processor 20
Art.24
Responsibility of the controller
CJISCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRADHICSPCI DSS 4.0.1
Art.25
Data protection by design and by default
CJISADHICSCIS ControlsISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCHIPAA Security RuleNIS2SAMA CSF
Art.26
Joint controllers
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.27
Representatives of controllers or processors not established in the Union
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.28
Processor
CJISADHICSCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.29
Processing under the authority of the controller or processor
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.30
Records of processing activities
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.31
Cooperation with the supervisory authority
Art.32
Security of processing
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusHIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCCDORA
Art.33
Notification of a personal data breach to the supervisory authority
CJISADHICSCIS ControlsDORAHIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.34
Communication of a personal data breach to the data subject
CJISADHICSCIS ControlsDORAHIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.35
Data protection impact assessment
CJISADHICSCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.36
Prior consultation
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.37
Designation of the data protection officer
CJISCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRADHICSPCI DSS 4.0.1
Art.38
Position of the data protection officer
CJISCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRADHICSPCI DSS 4.0.1
Art.39
Tasks of the data protection officer
CJISADHICSCIS ControlsHIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPRDORANCA CCCPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021
Art.40
Codes of conduct
Art.41
Monitoring of approved codes of conduct
Art.42
Certification
Art.43
Certification bodies
CH-V · Transfers of personal data to third countries or international organisations 7
Art.44
General principle for transfers
CJISADHICSCIS ControlsISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
Art.45
Transfers on the basis of an adequacy decision
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.46
Transfers subject to appropriate safeguards
CJISADHICSCIS ControlsDORAHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
Art.47
Binding corporate rules
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.48
Transfers or disclosures not authorised by Union law
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.49
Derogations for specific situations
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.50
International cooperation for the protection of personal data
CH-VI · Independent supervisory authorities 9
Art.51
Supervisory authority
Art.52
Independence
Art.53
General conditions for the members of the supervisory authority
Art.54
Rules on the establishment of the supervisory authority
Art.55
Competence
Art.56
Competence of the lead supervisory authority
Art.57
Tasks
Art.58
Powers
Art.59
Activity reports
CH-VII · Cooperation and consistency 17
Art.60
Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Art.61
Mutual assistance
Art.62
Joint operations of supervisory authorities
Art.63
Consistency mechanism
Art.64
Opinion of the Board
Art.65
Dispute resolution by the Board
Art.66
Urgency procedure
Art.67
Exchange of information
Art.68
European Data Protection Board
Art.69
Independence
Art.70
Tasks of the Board
Art.71
Reports
Art.72
Procedure
Art.73
Chair
Art.74
Tasks of the Chair
Art.75
Secretariat
Art.76
Confidentiality
CH-VIII · Remedies, liability and penalties 8
Art.77
Right to lodge a complaint with a supervisory authority
Art.78
Right to an effective judicial remedy against a supervisory authority
Art.79
Right to an effective judicial remedy against a controller or processor
Art.80
Representation of data subjects
Art.81
Suspension of proceedings
Art.82
Right to compensation and liability
Art.83
General conditions for imposing administrative fines
Art.84
Penalties
CH-IX · Provisions relating to specific processing situations 7
Art.85
Processing and freedom of expression and information
Art.86
Processing and public access to official documents
Art.87
Processing of the national identification number
Art.88
Processing in the context of employment
Art.89
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
ADHICSPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
Art.90
Obligations of secrecy
Art.91
Existing data protection rules of churches and religious associations
CH-X · Delegated acts and implementing acts 2
Art.92
Exercise of the delegation
Art.93
Committee procedure
CH-XI · Final provisions 6
Art.94
Repeal of Directive 95/46/EC
Art.95
Relationship with Directive 2002/58/EC
Art.96
Relationship with previously concluded Agreements
Art.97
Commission reports
Art.98
Review of other Union legal acts on data protection
Art.99
Entry into force and application

Ready to assess against GDPR (EU)?

Start free trial →