EU
GDPR (EU)
General Data Protection Regulation (EU) 2016/679
2016/679
99 controls · 11 domains
Mandatory for: EU law
About this framework
The General Data Protection Regulation is the EU's data protection law. It sets strict rules on how personal data is collected, stored, and used, gives individuals rights over their data, and carries heavy fines for breaches.
Who needs this
Applies to any organisation handling the personal data of people in the EU, wherever it is based.
Cross-framework coverage
Controls in GDPR (EU) also cover:
NIST CSF 12 shared
CIS Controls 12 shared
ISO 27001 12 shared
UK GDPR 12 shared
NCA ECC-2 12 shared
See how GDPR (EU) connects to the rest → the Security Universe
Control domains
CH-I · General provisions 4
Art.1
Subject-matter and objectives
Art.2
Material scope
Art.3
Territorial scope
Art.4
Definitions
CH-II · Principles 7
Art.5
Principles relating to processing of personal data
Art.6
Lawfulness of processing
Art.7
Conditions for consent
Art.8
Conditions applicable to child's consent in relation to information society services
Art.9
Processing of special categories of personal data
Art.10
Processing of personal data relating to criminal convictions and offences
Art.11
Processing which does not require identification
CH-III · Rights of the data subject 12
Art.12
Transparent information, communication and modalities for the exercise of the rights of the data subject
Art.13
Information to be provided where personal data are collected from the data subject
Art.14
Information to be provided where personal data have not been obtained from the data subject
Art.15
Right of access by the data subject
Art.16
Right to rectification
Art.17
Right to erasure (‘right to be forgotten’)
Art.18
Right to restriction of processing
Art.19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Art.20
Right to data portability
Art.21
Right to object
Art.22
Automated individual decision-making, including profiling
Art.23
Restrictions
CH-IV · Controller and processor 20
Art.24
Responsibility of the controller
Art.25
Data protection by design and by default
Art.26
Joint controllers
Art.27
Representatives of controllers or processors not established in the Union
Art.28
Processor
Art.29
Processing under the authority of the controller or processor
Art.30
Records of processing activities
Art.31
Cooperation with the supervisory authority
Art.32
Security of processing
Art.33
Notification of a personal data breach to the supervisory authority
Art.34
Communication of a personal data breach to the data subject
Art.35
Data protection impact assessment
Art.36
Prior consultation
Art.37
Designation of the data protection officer
Art.38
Position of the data protection officer
Art.39
Tasks of the data protection officer
Art.40
Codes of conduct
Art.41
Monitoring of approved codes of conduct
Art.42
Certification
Art.43
Certification bodies
CH-V · Transfers of personal data to third countries or international organisations 7
Art.44
General principle for transfers
Art.45
Transfers on the basis of an adequacy decision
Art.46
Transfers subject to appropriate safeguards
Art.47
Binding corporate rules
Art.48
Transfers or disclosures not authorised by Union law
Art.49
Derogations for specific situations
Art.50
International cooperation for the protection of personal data
CH-VI · Independent supervisory authorities 9
Art.51
Supervisory authority
Art.52
Independence
Art.53
General conditions for the members of the supervisory authority
Art.54
Rules on the establishment of the supervisory authority
Art.55
Competence
Art.56
Competence of the lead supervisory authority
Art.57
Tasks
Art.58
Powers
Art.59
Activity reports
CH-VII · Cooperation and consistency 17
Art.60
Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Art.61
Mutual assistance
Art.62
Joint operations of supervisory authorities
Art.63
Consistency mechanism
Art.64
Opinion of the Board
Art.65
Dispute resolution by the Board
Art.66
Urgency procedure
Art.67
Exchange of information
Art.68
European Data Protection Board
Art.69
Independence
Art.70
Tasks of the Board
Art.71
Reports
Art.72
Procedure
Art.73
Chair
Art.74
Tasks of the Chair
Art.75
Secretariat
Art.76
Confidentiality
CH-VIII · Remedies, liability and penalties 8
Art.77
Right to lodge a complaint with a supervisory authority
Art.78
Right to an effective judicial remedy against a supervisory authority
Art.79
Right to an effective judicial remedy against a controller or processor
Art.80
Representation of data subjects
Art.81
Suspension of proceedings
Art.82
Right to compensation and liability
Art.83
General conditions for imposing administrative fines
Art.84
Penalties
CH-IX · Provisions relating to specific processing situations 7
Art.85
Processing and freedom of expression and information
Art.86
Processing and public access to official documents
Art.87
Processing of the national identification number
Art.88
Processing in the context of employment
Art.89
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Art.90
Obligations of secrecy
Art.91
Existing data protection rules of churches and religious associations
CH-X · Delegated acts and implementing acts 2
Art.92
Exercise of the delegation
Art.93
Committee procedure
CH-XI · Final provisions 6
Art.94
Repeal of Directive 95/46/EC
Art.95
Relationship with Directive 2002/58/EC
Art.96
Relationship with previously concluded Agreements
Art.97
Commission reports
Art.98
Review of other Union legal acts on data protection
Art.99
Entry into force and application
Ready to assess against GDPR (EU)?
Start free trial →