The Regulation
All 173 GDPR recitals, explained.
The GDPR opens with 173 recitals — the preamble that sets out the reasoning behind every article. They are the key to interpreting the Regulation. Here is the full text of each one.
Recitals 1–30
1Data Protection as a Fundamental Right2Respect of the Fundamental Rights and Freedoms3Directive 95/46/EC Harmonisation4Data Protection in Balance with Other Fundamental Rights5Cooperation Between Member States to Exchange Personal Data6Ensuring a High Level of Data Protection Despite the Increased Exchange of Data7The Framework is Based on Control and Certainty8Adoption into National Law9Different Standards of Protection by the Directive 95/46/EC10Harmonised Level of Data Protection Despite National Scope11Harmonisation of the Powers and Sanctions12Authorization of the European Parliament and the Council13Taking Account of Micro, Small and Medium-Sized Enterprises14Not Applicable to Legal Persons15Technology Neutrality16Not Applicable to Activities Regarding National and Common Security17Adaptation of Regulation (EC) No 45/200118Not Applicable to Personal or Household Activities19Not Applicable to Criminal Prosecution20Respecting the Independence of the Judiciary21Liability Rules of Intermediary Service Providers Shall Remain Unaffected22Processing by an Establishment23Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted24Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled25Applicable to Controllers Due to International Law26Not Applicable to Anonymous Data27Not Applicable to Data of Deceased Persons28Introduction of Pseudonymisation29Pseudonymisation at the Same Controller30Online Identifiers for Profiling and Identification
Recitals 31–60
31Not Applicable to Public Authorities in Connection with Their Official Tasks32Conditions for Consent33Consent to Certain Areas of Scientific Research34Genetic Data35Health Data36Determination of the Main Establishment37Group of undertakings38Special Protection of Children's Personal Data39Principles of Data Processing40Lawfulness of Data Processing41Legal Basis or Legislative Measures42Burden of Proof and Requirements for Consent43Freely Given Consent44Performance of a Contract45Fulfillment of Legal Obligations46Vital Interests of the Data Subject47Overriding Legitimate Interest48Overriding Legitimate Interest Within Group of Undertakings49Network and Information Security as Overriding Legitimate Interest50Further Processing of Personal Data51Protecting Sensitive Personal Data52Exceptions to the Prohibition on Processing Special Categories of Personal Data53Processing of Sensitive Data in Health and Social Sector54Processing of Sensitive Data in Public Health Sector55Public Interest in Processing by Official Authorities for Objectives of Recognized Religious Communities56Processing Personal Data on People's Political Opinions by Parties57Additional Data for Identification Purposes58The Principle of Transparency59Procedures for the Exercise of the Rights of the Data Subjects60Information Obligation
Recitals 61–90
61Time of Information62Exceptions to the Obligation to Provide Information63Right of Access64Identity Verification65Right of Rectification and Erasure66Right to be Forgotten67Restriction of Processing68Right of Data Portability69Right to Object70Right to Object to Direct Marketing71Profiling72Guidance of the European Data Protection Board Regarding Profiling73Restrictions of Rights and Principles74Responsibility and Liability of the Controller75Risks to the Rights and Freedoms of Natural Persons76Risk Assessment77Risk Assessment Guidelines78Appropriate Technical and Organisational Measures79Allocation of the Responsibilities80Designation of a Representative81The Use of Processors82Record of Processing Activities83Security of Processing84Risk Evaluation and Impact Assessment85Notification Obligation of Breaches to the Supervisory Authority86Notification of Data Subjects in Case of Data Breaches87Promptness of Reporting / Notification88Format and Procedures of the Notification89Elimination of the General Reporting Requirement90Data Protection Impact Assessement
Recitals 91–120
91Necessity of a Data Protection Impact Assessment92Broader Data Protection Impact Assessment93Data Protection Impact Assessment at Authorities94Consultation of the Supervisory Authority95Support by the Processor96Consultation of the Supervisory Authority in the Course of a Legislative Process97Data Protection Officer98Preparation of Codes of Conduct by Organisations and Associations99Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct100Certification101General Principles for International Data Transfers102International Agreements for an Appropriate Level of Data Protection103Appropriate Level of Data Protection Based on an Adequacy Decision104Criteria for an Adequacy Decision105Consideration of International Agreements for an Adequacy Decision106Monitoring and Periodic Review of the Level of Data Protection107Amendment, Revocation and Suspension of Adequacy Decisions108Appropriate Safeguards109Standard Data Protection Clauses110Binding Corporate Rules111Exceptions for Certain Cases of International Transfers112Data Transfers due to Important Reasons of Public Interest113Transfers Qualified as Not Repetitive and that Only Concern a Limited Number of Data Subjects114Safeguarding of Enforceability of Rights and Obligations in the Absence of an Adequacy Decision115Rules in Third Countries Contrary to the Regulation116Cooperation Among Supervisory Authorities117Establishment of Supervisory Authorities118Monitoring of the Supervisory Authorities119Organisation of Several Supervisory Authorities of a Member State120Features of Supervisory Authorities
Recitals 121–150
121Independence of the Supervisory Authorities122Responsibility of the Supervisory Authorities123Cooperation of the Supervisory Authorities with Each Other and with the Commission124Lead Authority Regarding Processing in Several Member States125Competences of the Lead Authority126Joint Decisions127Information of the Supervisory Authority Regarding Local Processing128Responsibility Regarding Processing in the Public Interest129Tasks and Powers of the Supervisory Authorities130Consideration of the Authority with which the Complaint has been Lodged131Attempt of an Amicable Settlement132Awareness-Raising Activities and Specific Measures133Mutual Assistance and Provisional Measures134Participation in Joint Operations135Consistency Mechanism136Binding Decisions and Opinions of the Board137Provisional Measures138Urgency Procedure139European Data Protection Board140Secretariat and Staff of the Board141Right to Lodge a Complaint142The Right of Data Subjects to Mandate a Not-For-Profit Body, Organisation or Association143Judicial Remedies144Related Proceedings145Choice of Venue146Indemnity147Jurisdiction148Penalties149Penalties for Infringements of National Rules150Administrative Fines
Recitals 151–173
151Administrative Fines in Denmark and Estonia152Power of Sanction of the Member States153Processing of Personal Data Solely for Journalistic Purposes or for the Purposes of Academic, Artistic or Literary Expression154Principle of Public Access to Official Documents155Processing in the Employment Context156Processing for Archiving, Scientific or Historical Research or Statistical Purposes157Information from Registries and Scientific Research158Processing for Archiving Purposes159Processing for Scientific Research Purposes160Processing for Historical Research Purposes161Consenting to the Participation in Clinical Trials162Processing for Statistical Purposes163Production of European and National Statistics164Professional or Other Equivalent Secrecy Obligations165No Prejudice of the Status of Churches and Religious Associations166Delegated Acts of the Commission167Implementing Powers of the Commission168Implementing Acts on Standard Contractual Clauses169Immediately Applicable Implementing Acts170Principle of Subsidiarity and Principle of Proportionality171Repeal of Directive 95/46/EC and Transitional Provisions172Consultation of the European Data Protection Supervisor173Relationship to Directive 2002/58/EC
Recitals are part of the GDPR's preamble. They are not binding in their own right, but courts and regulators use them to interpret the binding articles. Official text reproduced from EUR-Lex — © European Union.
From intent to compliance
The recitals explain the "why". Our team helps you act on the "how" — audits, DPIAs, transfers and breach response.