Appendix 1: Index of the Regulation – EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide


Chapter I – General provisions

  1.  Subject-matter and objectives

  2.  Material scope

  3.  Territorial scope

  4.  Definitions

Chapter II – Principles

  5.  Principles relating to processing of personal data

  6.  Lawfulness of processing

  7.  Conditions for consent

  8.  Conditions applicable to child’s consent in relation to information society services

  9.  Processing of special categories of personal data

10.  Processing of personal data relating to criminal convictions and offences

11.  Processing which does not require identification

Chapter III – Rights of the data subject

Section 1 – Transparency and modalities

12.  Transparent information, communication and modalities for the exercise of the rights of the data subject

Section 2 – Information and access to personal data

13.  Information to be provided where personal data are collected from the data subject

14.  Information to be provided where personal data have not been collected from the data subject

15.  Right of access by the data subject

Section 3 – Rectification and erasure

16.  Right to rectification

17.  Right to erasure (‘right to be forgotten’)

18.  Right to restriction of processing

19.  Notification obligation regarding rectification or erasure of personal data or restriction of processing

20.  Right to data portability

Section 4 – Right to object and automated individual decision-making

21.  Right to object

22.  Automated individual decision-making, including profiling

Section 5 – Restrictions

23.  Restrictions

Chapter IV – Controller and processor

Section 1 – General obligations

24.  Responsibility of the controller

25.  Data protection by design and by default

26.  Joint controllers

27.  Representatives of controllers or processors not established in the Union

28.  Processor

29.  Processing under the authority of the controller or processor

30.  Records of processing activities

31.  Cooperation with the supervisory authority

Section 2 – Security of personal data

32.  Security of processing

33.  Notification of a personal data breach to the supervisory authority

34.  Communication of a personal data breach to the data subject

Section 3 – Data protection impact assessment and prior consultation

35.  Data protection impact assessment

36.  Prior consultation

Section 4 – Data protection officer

37.  Designation of the data protection officer

38.  Position of the data protection officer

39.  Tasks of the data protection officer

Section 5 – Codes of conduct and certification

40.  Codes of conduct

41.  Monitoring of approved codes of conduct

42.  Certification

43.  Certification bodies

Chapter V – Transfer of personal data to third countries or international organisations

44.  General principle for transfers

45.  Transfers on the basis of an adequacy decision

46.  Transfers subject to appropriate safeguards

47.  Binding corporate rules

48.  Transfers or disclosures not authorised by Union law

49.  Derogations for specific situations

50.  International cooperation for the protection of personal data

Chapter VI – Independent supervisory authorities

Section 1 – Independent status

51.  Supervisory authority

52.  Independence

53.  General conditions for the members of the supervisory authority

54.  Rules on the establishment of the supervisory authority

Section 2 – Competence, tasks and powers

55.  Competence

56.  Competence of the lead supervisory authority

57.  Tasks

58.  Powers

59.  Activity reports

Chapter VII – Cooperation and consistency

Section 1 – Cooperation

60.  Cooperation between the lead supervisory authority and other supervisory authorities concerned

61.  Mutual assistance

62.  Joint operations of supervisory authorities

Section 2 – Consistency

63.  Consistency mechanism

64.  Opinion of the board

65.  Dispute resolution by the Board

66.  Urgency procedure

67.  Exchange of information

Section 3 – European Data Protection Board

68.  European Data Protection Board

69.  Independence

70.  Tasks of the Board

71.  Reports

72.  Procedure

73.  Chair

74.  Tasks of the Chair

75.  Secretariat

76.  Confidentiality

Chapter VIII – Remedies, liabilities and penalties

77.  Right to lodge a complaint with a supervisory authority

78.  Right to an effective judicial remedy against a supervisory authority

79.  Right to an effective judicial remedy against a controller or processor

80.  Representation of data subjects

81.  Suspension of proceedings

82.  Right to compensation and liability

83.  General conditions for imposing administrative fines

84.  Penalties

Chapter IX – Provisions relating to specific processing situations

85.  Processing and freedom of expression and information

86.  Processing and public access to official documents

87.  Processing of the national identification number

88.  Processing in the context of employment

89.  Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

90.  Obligations of secrecy

91.  Existing data protection rules of churches and religious associations

Chapter X – Delegated acts and implementing acts

92.  Exercise of the delegation

93.  Committee procedure

Chapter XI – Final provisions

94.  Repeal of Directive 95/46/EC

95.  Relationship with Directive 2002/58/EC

96.  Relationship with previously concluded Agreements

97.  Commission reports

98.  Review of other Union legal acts on data protection

99.  Entry into force and application