The Regulation

All 99 GDPR articles, explained.

The full text of the GDPR runs to 99 articles across 11 chapters. Here is every one in plain English — searchable, cross-linked, and connected to practical guidance and the latest enforcement.

Jump to a chapter

1. General Provisions2. Principles3. Rights of the Data Subject4. Controller and Processor5. Transfers to Third Countries6. Independent Supervisory Authorities7. Co-operation and Consistency8. Remedies, Liability and Sanctions9. Specific Processing Situations10. Delegated & Implementing Acts11. Final Provisions

Chapter 1General Provisions

Articles 1–4

What the regulation is for, who and what it covers, and the definitions everything else depends on.

1Subject matter and objectivesSets out what the GDPR is for: protecting people's fundamental right to the protection of their personal data, while allowing personal data to flow freely within the EU.2Material scopeDefines what kinds of processing the GDPR applies to — broadly, the automated or structured processing of personal data — and the narrow activities it does not cover.3Territorial scopeThe GDPR's reach is extra-territorial. It applies to organisations established in the EU, and to those outside the EU that offer goods or services to, or monitor, people in the EU.4DefinitionsThe dictionary of the GDPR — defining 'personal data', 'processing', 'controller', 'processor', 'consent', 'pseudonymisation', 'profiling' and more. Almost every other article depends on these terms.

Chapter 2Principles

Articles 5–11

The core principles of lawful processing — including lawful basis, consent and special-category data.

5Principles relating to processing of personal dataThe seven principles at the heart of the GDPR. Every processing activity must satisfy all of them, and you must be able to demonstrate that it does (accountability).6Lawfulness of processingYou need a lawful basis for every processing activity. There are six, and consent is only one of them — picking the right basis is a foundational compliance decision.7Conditions for consentWhere you rely on consent, it must be freely given, specific, informed and unambiguous — and as easy to withdraw as it was to give. Pre-ticked boxes and bundled consent do not count.8Conditions applicable to a child's consentFor online services offered directly to children, consent is only valid if the child is at least 16 — or a lower age set by the member state, but never below 13. Below that, a parent must consent.9Processing of special categories of personal dataSensitive data — health, race, religion, sexual orientation, biometrics, political opinions and more — is processing-prohibited by default, unless a specific exception (such as explicit consent) applies.10Processing of criminal-conviction dataData about criminal convictions and offences can only be processed under the control of an official authority or where authorised by law with appropriate safeguards.11Processing not requiring identificationIf your purposes do not require you to identify a person, you are not obliged to keep or acquire extra data just to comply — and some data-subject rights may not apply if you genuinely cannot identify them.

Chapter 3Rights of the Data Subject

Articles 12–23

The enforceable rights every person has over their personal data, from access to erasure.

12Transparent information and modalitiesThe umbrella rule for exercising rights: information and communications must be concise, transparent, intelligible and in plain language — and you must respond, usually free of charge, within one month.13Information to be provided (data collected from the person)When you collect data directly from someone, you must tell them — at the time — who you are, why you are processing, your lawful basis, who receives the data, how long you keep it, and their rights. This is your privacy notice.14Information to be provided (data not obtained from the person)Where you obtain data about someone from a third party, you still owe them transparency information — generally within a month, and including where the data came from.15Right of access by the data subjectAnyone can ask whether you hold data about them and, if so, receive a copy plus information about how and why you process it. This is the Data Subject Access Request (DSAR).16Right to rectificationPeople can have inaccurate personal data about them corrected, and incomplete data completed, without undue delay.17Right to erasure ('right to be forgotten')In defined circumstances — data no longer needed, consent withdrawn, unlawful processing — people can have their data deleted. It is not absolute, and must be balanced against other interests such as free expression.18Right to restriction of processingPeople can require you to pause processing — for example while accuracy is checked or an objection is considered — so the data is stored but not otherwise used.19Notification obligationIf you rectify, erase or restrict data, you must tell each recipient you disclosed it to — unless that proves impossible or disproportionate.20Right to data portabilityWhere processing is based on consent or contract and is automated, people can receive the data they provided in a structured, commonly used, machine-readable format — and have it transmitted to another provider.21Right to objectPeople can object to processing based on legitimate interests or public task, and have an absolute right to object to direct marketing — at which point you must stop using their data for it.22Automated decision-making and profilingPeople have the right not to be subject to a decision based solely on automated processing — including profiling — that has legal or similarly significant effects, save in defined cases with safeguards.23RestrictionsMember states may restrict certain rights and obligations by law — for example for national security, defence or the prevention of crime — provided the restriction respects the essence of the rights and is necessary and proportionate.

Chapter 4Controller and Processor

Articles 24–43

The duties of organisations that decide and carry out processing — security, breach, DPIAs and DPOs.

24Responsibility of the controllerThe controller must implement appropriate technical and organisational measures to ensure — and be able to demonstrate — that processing complies with the GDPR. This is accountability in practice.25Data protection by design and by defaultPrivacy must be built into systems from the outset and as the default setting — minimising data, limiting access and applying safeguards by design rather than as an afterthought.26Joint controllersWhere two or more controllers jointly decide the purposes and means, they must agree — transparently — who is responsible for which obligations, especially towards data subjects.27Representatives of controllers not established in the UnionNon-EU organisations caught by the GDPR generally must designate a representative in the EU as a contact point for individuals and regulators.28ProcessorWhenever a processor handles data on your behalf, a written contract with specific mandatory terms (a Data Processing Agreement) must be in place. Processors have direct obligations too.29Processing under the authority of controller or processorAnyone acting under a controller or processor may only process personal data on documented instructions — not on their own initiative.30Records of processing activitiesMost organisations must keep an internal record of their processing activities — the 'ROPA' — describing what data they process, why, who they share it with and how long they keep it.31Cooperation with the supervisory authorityControllers and processors must cooperate with their data-protection authority on request in the performance of its tasks.32Security of processingYou must implement appropriate technical and organisational security measures for the risk — potentially including encryption, pseudonymisation, resilience and regular testing.33Notification of a breach to the supervisory authorityA personal data breach likely to risk people's rights must be reported to the supervisory authority within 72 hours of becoming aware of it. All breaches must be documented internally.34Communication of a breach to the data subjectWhere a breach is likely to result in a high risk to individuals, you must also tell the affected people, in clear language and without undue delay.35Data protection impact assessment (DPIA)Before high-risk processing — large-scale monitoring, sensitive data, new technologies — you must run a DPIA to identify and mitigate the risks. AI deployments frequently trigger this.36Prior consultationIf a DPIA shows a high residual risk you cannot mitigate, you must consult your supervisory authority before going ahead.37Designation of the Data Protection OfficerYou must appoint a DPO if you are a public authority, carry out large-scale systematic monitoring, or process special-category data at large scale.38Position of the Data Protection OfficerThe DPO must be involved in all data-protection matters, given the resources to do the job, allowed to act independently, and report to the highest level of management.39Tasks of the Data Protection OfficerThe DPO informs and advises on obligations, monitors compliance, advises on DPIAs, and acts as contact point for the supervisory authority and data subjects.40–43Codes of conduct and certificationIndustry codes of conduct and approved certification schemes (with accredited bodies and monitoring) let organisations demonstrate compliance and build trust.

Chapter 5Transfers to Third Countries

Articles 44–50

The rules for moving personal data outside the EEA safely.

44General principle for transfersPersonal data may only leave the EEA if the conditions of Chapter 5 are met — the protection travelling with the GDPR must not be undermined by sending data abroad.45Transfers on the basis of an adequacy decisionThe Commission can decide that a country (or framework, like the EU–US Data Privacy Framework) offers adequate protection, allowing free transfers there without extra safeguards.46Transfers subject to appropriate safeguardsWithout adequacy, transfers need appropriate safeguards — most commonly Standard Contractual Clauses (SCCs) or Binding Corporate Rules — often plus a transfer impact assessment.47Binding corporate rulesMultinational groups can adopt approved internal rules (BCRs) to transfer data within the group across borders, once a supervisory authority signs them off.48Transfers not authorised by Union lawA foreign court or authority order to hand over data is not, by itself, a lawful basis to transfer — it must go through an international agreement such as mutual legal assistance.49Derogations for specific situationsIn the absence of adequacy or safeguards, narrow exceptions allow occasional transfers — for example explicit consent, contract necessity, or important public-interest grounds.50International cooperationCommits the EU and regulators to develop international cooperation mechanisms to protect personal data across borders.

Chapter 6Independent Supervisory Authorities

Articles 51–59

The national regulators (DPAs) that enforce the GDPR, and their powers.

51–54Independent status of supervisory authoritiesEach member state must have one or more fully independent data-protection authorities (DPAs), with the resources, staff and legal standing to act free of external influence.55–59Competence, tasks and powersSets out what DPAs do — handling complaints, investigating, advising, and wielding powers including warnings, orders, processing bans and administrative fines.58Powers of the supervisory authoritySpells out the concrete powers of a DPA — to investigate, to order compliance, to limit or ban processing, and to impose fines.

Chapter 7Co-operation and Consistency

Articles 60–76

How regulators work together across borders, and the European Data Protection Board.

60–62Co-operation between authorities (one-stop-shop)For cross-border processing, a lead authority cooperates with other 'concerned' authorities to reach a single decision — the 'one-stop-shop' mechanism.63–67Consistency mechanismEnsures the GDPR is applied consistently across the EU — including binding dispute resolution by the European Data Protection Board when authorities disagree.68–76European Data Protection Board (EDPB)Establishes the EDPB — the EU body of national regulators that issues guidance, ensures consistency, and makes binding decisions in cross-border disputes.

Chapter 8Remedies, Liability and Sanctions

Articles 77–84

Complaints, compensation and the headline fines — up to €20m or 4% of global turnover.

77Right to lodge a complaint with a supervisory authorityAnyone can complain to a DPA — usually in their own country — if they believe their data has been processed in breach of the GDPR.78–79Right to an effective judicial remedyPeople (and organisations) can go to court against a binding DPA decision, and directly against a controller or processor that has breached their rights.80Representation of data subjectsPeople can mandate a not-for-profit body to lodge complaints and bring proceedings on their behalf — opening the door to collective redress.82Right to compensation and liabilityAnyone who suffers material or non-material damage from a GDPR breach has the right to compensation from the controller or processor responsible.83General conditions for imposing administrative finesThe headline enforcement tool: fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher, with a lower tier of €10m / 2% for other breaches.84PenaltiesMember states may lay down additional penalties — including criminal ones — for infringements not already covered by administrative fines.

Chapter 9Specific Processing Situations

Articles 85–91

How the GDPR is balanced against free expression, employment, research and other contexts.

85–91Specific data-processing situationsReconciles data protection with other interests — freedom of expression and the press, public-access to documents, national ID numbers, employment, archiving, research, and churches.

Chapter 10Delegated & Implementing Acts

Articles 92–93

How the Commission may adopt further detailed rules.

92–93Delegated and implementing actsSets out how the European Commission may adopt further detailed (delegated and implementing) rules under the GDPR.

Chapter 11Final Provisions

Articles 94–99

Repeal of the old directive, review, and entry into force.

94Repeal of Directive 95/46/ECRepeals the old 1995 Data Protection Directive that the GDPR replaced, with references to it read as references to the GDPR.99Entry into force and applicationThe GDPR entered into force in 2016 and applied from 25 May 2018 — the date it became directly enforceable across the EU after a two-year grace period.

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

From the text to your business

Reading the article is the first step. Our team applies it to your data, your contracts and your risk.

Talk to a lawyer