← Blog Home

GDPR articles explained

GDPR

Posted by Kevin Yun | February 8, 2026

Every organization handling European data needs to understand the General Data Protection Regulation. But the regulation's 99 articles can feel overwhelming when you're trying to figure out what applies to your business.

The GDPR restructured how companies collect, process, and store personal data. Passed in 2016 and enforced since May 2018, it affects any organization offering goods or services to EU residents or monitoring their behavior. That includes businesses based outside Europe.

This breakdown covers what each chapter means for your operations. You'll learn which articles demand immediate attention and which ones might not apply to your situation at all.

Table of contents

Chapter 1: General provisions (Articles 1-4)

These opening articles set the stage. They define what the GDPR covers and who needs to follow it.

Article 1 establishes that the regulation protects people's fundamental rights regarding their personal data. It aims to balance data protection with the free movement of information across EU borders.

Article 2 clarifies the material scope. The GDPR applies to automated processing and filing systems. It excludes purely personal activities (like your home address book) and certain law enforcement contexts.

Article 3 addresses territorial scope. This article catches many businesses off guard. You don't need a physical presence in Europe to fall under GDPR rules. Processing data of EU residents while offering them goods or services? You're covered. Monitoring behavior of people in the EU? Same deal.

Article 4 contains 26 definitions. Personal data means information relating to an identified or identifiable person. Processing covers any operation performed on data. Controllers decide why and how to process data. Processors handle data on behalf of controllers. Consent must be freely given, specific, informed and unambiguous.

These definitions matter because they determine your obligations throughout the regulation.

Chapter 2: Principles (Articles 5-11)

Data processing principles form the backbone of GDPR compliance. Violating these draws serious penalties.

Article 5 lists six core principles. Lawfulness, fairness and transparency mean being upfront with people about what you're doing with their data. Purpose limitation requires using data only for specified, explicit purposes. Data minimization demands collecting only what you need. Accuracy means keeping data correct and current. Storage limitation prevents holding data longer than necessary. Integrity and confidentiality require appropriate security measures.

The seventh principle, accountability, makes controllers responsible for demonstrating compliance with all other principles.

Article 6 establishes six lawful bases for processing. You need at least one:

  • Consent from the data subject
  • Performance of a contract
  • Compliance with a legal obligation
  • Protection of vital interests (life or death situations)
  • Performance of a task in the public interest
  • Legitimate interests (balanced against individual rights)

Picking the wrong legal basis causes compliance headaches later. You can't just switch from one to another if someone withdraws consent.

Article 7 sets conditions for valid consent. Pre-ticked boxes don't work. Requests must be clear and separate from other terms. Withdrawing consent must be as easy as giving it. You need to document how and when someone consented.

Article 8 protects children. For information society services (online services), children under 16 need parental consent. Member states can lower this to 13. Verifying age and parental authority creates practical challenges.

Article 9 addresses special categories of personal data. This includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data about sex life or sexual orientation. Processing this information is generally prohibited unless specific conditions apply. Medical treatment, employment law obligations, and explicit consent provide exceptions.

Article 10 covers criminal conviction data. Only official authorities or entities authorized by member state law can process this information.

Article 11 says if you don't need to identify individuals for your processing purposes, you're not required to maintain or obtain identification information just to comply with GDPR. But if someone makes a rights request and can't be identified, you can ask for additional information.

Chapter 3: Rights of data subjects (Articles 12-23)

People have expansive rights over their personal data. Organizations must facilitate these rights without creating unnecessary barriers.

Article 12 mandates transparent communication. Responses to rights requests must be concise, accessible, and in plain language. You have one month to respond (extendable to three months for complex requests). Information must be provided free of charge unless requests are manifestly unfounded or excessive.

Article 13 requires transparency at collection. When collecting data directly from individuals, you must provide information about your identity, contact details, processing purposes, legal basis, recipients, storage periods, and rights available to them. This information typically goes in a privacy policy.

Article 14 extends transparency requirements to situations where you obtain data from third parties. You have one month to provide required information to affected individuals. This creates challenges for businesses purchasing data lists or receiving data from partners.

Article 15 gives people the right to access their data. They can request confirmation that you're processing their information, along with details about processing purposes, categories of data, recipients, storage periods, and their available rights. You must provide a copy of the data free of charge.

Article 16 establishes the right to rectification. People can request correction of inaccurate data or completion of incomplete data.

Article 17 creates the right to erasure (right to be forgotten). Individuals can request deletion when data is no longer needed for its original purpose, when consent is withdrawn, when they object to processing, when processing is unlawful, or when legal obligations require erasure. Exceptions exist for legal claims, public interest, and freedom of expression.

Article 18 allows restriction of processing. Instead of deleting data, individuals can ask you to limit what you do with it under certain circumstances.

Article 19 requires notifying others. When you rectify, erase, or restrict processing, you must inform recipients of the data unless this proves impossible or requires disproportionate effort.

Article 20 grants data portability. People can receive their data in a structured, commonly used, machine-readable format. They can transmit this data to another controller. This right only applies when processing is based on consent or contract and carried out by automated means.

Article 21 covers the right to object. Individuals can object to processing based on legitimate interests or for direct marketing. You must stop processing unless you demonstrate compelling legitimate grounds that override individual rights. There are no exceptions for marketing objections.

Article 22 addresses automated decision-making and profiling. People have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Exceptions exist for contractual necessity, legal authorization, or explicit consent. Even when automated decisions are permitted, you must provide meaningful information about the logic involved and implement measures to safeguard rights.

Article 23 allows member states or EU law to restrict certain rights through legislative measures. Restrictions can apply for national security, defense, public safety, criminal investigations, or protection of judicial independence. Any such restriction must respect the essence of fundamental rights.

Chapter 4: Controller and processor (Articles 24-43)

This chapter outlines obligations for organizations handling personal data. Controllers carry most responsibilities, but processors face requirements too.

Article 24 makes controllers responsible for demonstrating compliance. This isn't just about being compliant - you must prove it through documentation and appropriate measures.

Article 25 requires data protection by design and by default. You must implement technical and organizational measures at the design phase. By default, only necessary data should be processed. Privacy can't be an afterthought bolted on after launch.

Article 26 addresses joint controllers. When two or more entities jointly determine purposes and means of processing, they must define their respective responsibilities through an arrangement. Individuals can exercise rights against any joint controller.

Article 27 requires non-EU controllers and processors to designate an EU representative in most cases. Exceptions exist for occasional processing of non-sensitive data and public authorities.

Article 28 regulates processor relationships. Controllers can only use processors who provide sufficient guarantees. Written contracts must specify the subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and obligations and rights of the controller. Processors need written authorization before engaging subprocessors.

Article 29 prohibits processors from processing data without controller instructions unless required by law.

Article 30 mandates record-keeping. Controllers and processors must maintain records of processing activities. This includes purposes of processing, categories of data subjects and personal data, recipients, transfers to third countries, storage periods, and security measures. Organizations with fewer than 250 employees get limited exemptions unless processing creates risks, occurs regularly, or involves special categories of data.

Article 31 requires cooperation with supervisory authorities. You must assist authorities upon request.

Article 32 establishes security obligations. Controllers and processors must implement appropriate technical and organizational measures considering the state of the art, implementation costs, and risks. This includes encryption, pseudonymization, ensuring confidentiality and integrity, regular testing, and documented processes for restoring availability after incidents.

Article 33 sets breach notification requirements. Controllers must notify supervisory authorities within 72 hours of becoming aware of a breach unless the breach is unlikely to create risks for individuals. Notifications must describe the nature of the breach, likely consequences, and measures taken to address it.

Article 34 requires notifying affected individuals of high-risk breaches. Notifications must be in clear language and explain the likely consequences and measures taken. Exceptions apply when data was encrypted, measures mitigated risks, or individual notification requires disproportionate effort (in which case public communication suffices).

Article 35 introduces data protection impact assessments. When processing operations present high risks, controllers must assess impacts before processing begins. This applies to systematic monitoring of public areas on a large scale, large-scale processing of special categories, and automated decision-making with significant effects. Assessments should describe processing operations, necessity and proportionality, risks to rights and freedoms, and measures to address risks.

Article 36 requires prior consultation with supervisory authorities when impact assessments show high residual risk. Authorities must provide written advice within eight weeks (or fourteen for complex cases).

Articles 37-39 cover data protection officers. Public authorities (except courts), organizations conducting large-scale systematic monitoring, and organizations conducting large-scale processing of special categories must appoint DPOs. DPOs must have expert knowledge, independence, and adequate resources. Their tasks include monitoring compliance, advising on obligations, cooperating with authorities, and serving as contact points.

Articles 40-43 promote codes of conduct and certification mechanisms. Industry associations can develop codes to specify GDPR application. Certification schemes allow organizations to demonstrate compliance. Both mechanisms aim to enhance transparency and accountability.

Chapter 5: Transfers of personal data (Articles 44-50)

Moving data outside the EU requires meeting specific conditions. These articles govern international transfers.

Article 44 establishes that transfers to third countries or international organizations must comply with Chapter 5 provisions while respecting other GDPR requirements.

Article 45 allows transfers to countries with adequacy decisions. The European Commission assesses whether third countries provide adequate data protection. Approved countries include Canada (commercial organizations), Japan, South Korea, Switzerland, and others. The Commission maintains and reviews this list.

Article 46 permits transfers with appropriate safeguards even without adequacy decisions. Standard contractual clauses provide the most common mechanism. Binding corporate rules allow multinational companies to transfer data within their organizations. Other options include codes of conduct with binding commitments and approved certification mechanisms.

Article 47 details binding corporate rules requirements. These legally binding internal rules must be approved by the lead supervisory authority. They must specify structure, data subject rights, complaint procedures, and enforcement mechanisms.

Article 48 prevents transfers solely because foreign court or authority requests them. Transfers must be based on international agreements or satisfy one of the GDPR's permitted transfer mechanisms.

Article 49 lists derogations for specific situations. Transfers can occur with explicit consent after information about risks, for contract performance, for important public interest reasons, to protect vital interests, from public registers, or for compelling legitimate interests (subject to strict conditions). These derogations apply only when adequacy decisions or safeguards aren't available and transfers aren't repetitive.

Article 50 encourages international cooperation. The Commission and supervisory authorities engage with third countries to develop adequate data protection frameworks.

Chapter 6: Independent supervisory authorities (Articles 51-59)

Each member state operates an independent supervisory authority responsible for enforcing GDPR.

Article 51 requires each member state to establish one or more supervisory authorities. These authorities cooperate to ensure consistent GDPR application.

Article 52 guarantees independence. Supervisory authorities act independently, free from external influence. Members serve fixed terms and can only be removed for serious misconduct.

Article 53 sets membership qualifications. Members must be appointed through democratic procedures. They need appropriate qualifications, experience, and skills.

Article 54 requires member states to establish rules for supervisory authority creation, including appointment procedures, qualifications, duties, powers, financial resources, and staff. Members are bound by confidentiality obligations.

Article 55 defines competence. Supervisory authorities monitor and enforce GDPR application in their territory. They don't supervise processing by courts acting in their judicial capacity.

Article 56 establishes lead supervisory authority rules. For cross-border processing, the authority in the member state where the controller's main establishment is located serves as lead authority. This mechanism aims to create one-stop-shop supervision.

Article 57 lists supervisory authority tasks. These include monitoring GDPR enforcement, promoting public awareness, advising national parliaments and governments, handling complaints, conducting investigations, and cooperating with other authorities.

Article 58 grants supervisory authorities extensive powers. Investigative powers include ordering information, accessing premises, and obtaining access to data. Corrective powers include issuing warnings and reprimands, ordering compliance, imposing temporary or permanent processing bans, and levying administrative fines. Advisory powers include providing opinions and authorizing contractual clauses.

Article 59 requires annual activity reports. These reports must be made public and transmitted to relevant institutions. They provide transparency about supervisory authority activities and enforcement actions.

Chapter 7: Cooperation and consistency (Articles 60-76)

These articles establish how supervisory authorities work together to ensure consistent GDPR application across Europe.

Articles 60-62 create cooperation mechanisms. The lead supervisory authority cooperates with other concerned authorities to reach consensus. Authorities provide mutual assistance and can conduct joint operations, allowing staff from one member state to operate in another.

Article 63 introduces the consistency mechanism to ensure uniform GDPR application.

Articles 64-66 govern the European Data Protection Board's role in maintaining consistency. The Board issues opinions on draft decisions concerning codes of conduct, certification criteria, standard contractual clauses, binding corporate rules, and adequacy decisions. The Board can make binding decisions to resolve disputes between supervisory authorities. Urgent procedures allow immediate protective measures when necessary.

Article 67 authorizes the Commission to specify information exchange formats through implementing acts.

Articles 68-76 establish the European Data Protection Board structure and operations. The Board consists of the head of each supervisory authority plus the European Data Protection Supervisor. It operates independently. The Board elects a chair and two deputy chairs for five-year terms. Decisions require simple majority votes. The Board adopts rules of procedure and maintains a secretariat. Discussions remain confidential where appropriate. The Board issues annual reports on data protection in Europe.

Chapter 8: Remedies, liability and penalties (Articles 77-84)

Enforcement mechanisms give the GDPR teeth. These articles outline how violations get addressed.

Article 77 grants individuals the right to lodge complaints with supervisory authorities. Authorities must inform complainants about progress and outcomes.

Article 78 allows individuals to bring judicial proceedings against supervisory authority decisions concerning them. Proceedings take place in the member state where the authority is established.

Article 79 gives individuals the right to effective judicial remedy against controllers or processors. Actions can be brought where the controller or processor has an establishment or where the individual resides.

Article 80 permits not-for-profit organizations to represent individuals in lodging complaints and exercising rights. Member states may also allow such organizations to lodge complaints independently.

Article 81 allows courts to suspend proceedings when related cases are pending in other member states.

Article 82 establishes liability and compensation rights. Anyone suffering material or non-material damage from GDPR infringements has the right to compensation. Controllers are liable for damage caused by processing infringing GDPR. Processors are liable for damage caused by violating processor-specific obligations or acting outside lawful controller instructions. Controllers and processors can escape liability by proving they weren't responsible for the damage.

Article 83 sets administrative fines. Two tiers exist. Lower-tier violations (like inadequate security measures, failing to notify breaches, or insufficient record-keeping) incur fines up to €10 million or 2% of annual global turnover, whichever is higher. Higher-tier violations (like processing without lawful basis, violating core principles, or infringing data subject rights) face fines up to €20 million or 4% of annual global turnover, whichever is higher.

Authorities consider multiple factors when imposing fines: nature, gravity, and duration of the infringement; intentional or negligent character; actions taken to mitigate damage; degree of responsibility; previous infringements; cooperation with authorities; categories of data affected; and whether the infringement was reported. The goal is proportionate, dissuasive, and effective penalties.

Article 84 allows member states to establish additional penalties through national law.

Chapter 9: Specific processing situations (Articles 85-91)

Certain contexts require special considerations. This chapter addresses specific scenarios.

Article 85 balances data protection with freedom of expression and information. Member states must provide exemptions or derogations for processing in the context of journalism, academic expression, artistic expression, or literary expression.

Article 86 addresses public access to official documents. Personal data in official documents can be disclosed when member state law reconciles access rights with data protection.

Article 87 allows member states to determine conditions for processing national identification numbers.

Article 88 permits member states to adopt more specific rules for employment contexts. These can address recruitment, performance of contracts, equality and diversity, health and safety, and exercise of rights.

Article 89 provides safeguards for archiving, research, and statistics. Processing for these purposes benefits from certain derogations to data subject rights, provided appropriate safeguards exist. Member states can introduce further derogations for these purposes.

Article 90 recognizes professional secrecy obligations. Member states may adopt rules regarding supervisory authority powers to access data held by professionals bound by confidentiality.

Article 91 allows churches and religious associations to maintain existing data protection rules if aligned with GDPR requirements.

Chapter 10: Delegated acts (Articles 92-93)

Article 92 grants the European Commission power to adopt delegated acts. These are legislative instruments that amend non-essential elements of the GDPR. The Parliament or Council can revoke this delegation or object to delegated acts.

Article 93 establishes a committee procedure to assist the Commission in adopting implementing acts.

Chapter 11: Final provisions (Articles 94-99)

These closing articles handle transitional matters and future reviews.

Article 94 repeals Directive 95/46/EC, the previous data protection directive. References to the old directive are now read as references to the GDPR.

Article 95 clarifies the relationship with the ePrivacy Directive (2002/58/EC). The GDPR doesn't impose additional obligations beyond those in the ePrivacy Directive. Both instruments apply together.

Article 96 addresses international agreements concluded before May 2016. These agreements remain in force until amended, replaced, or revoked.

Article 97 requires the Commission to submit evaluation reports every four years. These reports assess GDPR application and may propose amendments. The first report was due in 2020.

Article 98 directs the Commission to review other EU legal acts on data protection after GDPR evaluation.

Article 99 establishes that the GDPR entered into force on May 24, 2016, but applied from May 25, 2018. This gave organizations two years to achieve compliance.

Building compliance into operations

The GDPR contains detailed requirements affecting nearly every aspect of data handling. Organizations need systematic approaches to meet obligations across all 99 articles.

Modern compliance requires more than reading the regulation. You need processes for responding to rights requests within one-month deadlines. You need documentation demonstrating accountability. You need security measures appropriate to your risk profile. You need vendor contracts with proper data processing clauses. And you need mechanisms to track all of this.

Compliance software like ComplyDog helps organizations manage GDPR requirements systematically. These platforms provide templates for required documentation, workflows for rights requests, automated breach notification processes, and vendor risk assessments. Rather than building compliance infrastructure from scratch, businesses can implement proven frameworks that address articles across all chapters.

The regulation isn't getting simpler. But the tools for meeting its requirements continue to improve. Organizations that treat compliance as an operational capability rather than a legal checkbox put themselves in the best position to handle evolving data protection requirements.

Popular Posts
popular post 1

The 7 Essential Principles at the Heart of GDPR Compliance
popular post 1

GDPR Cookie Consent (Banner): An Essential Guide, Checklist, and Examples
popular post 1

OpenAI's €15 Million GDPR Fine: What It Means for AI Companies
popular post 1

GDPR Software ROI: Is It Worth the Investment?
popular post 1

GDPR and the Consequences of Non-Compliance: What B2B SaaS Companies Need to Know
popular post 1

New to ComplyDog? Your Guide to Getting Started
popular post 1

What is a DPA? Data Processing Agreement for GDPR Explained
popular post 1

GDPR Compliance Checklist For B2B SaaS Companies
popular post 1

GDPR Implementation Examples: Success Stories for B2B SaaS Companies

You might also enjoy

Essential Guide: What is GDPR Compliance Software & How to Use It
GDPR

Essential Guide: What is GDPR Compliance Software & How to Use It

Navigating the complex landscape of GDPR compliance can feel like a daunting task. That's where GDPR compliance software comes into play. It's designed to help businesses of all sizes ensure they're GDPR compliant.

Posted by Kevin Yun | February 18, 2024
GDPR Compliance Checklist For B2B SaaS Companies
GDPR

GDPR Compliance Checklist For B2B SaaS Companies

The General Data Protection Regulation (GDPR) is a major piece of legislation that impacts how businesses handle personal data of EU citizens. Failing to comply can result in hefty fines, so it's crucial for companies to get up to speed on GDPR requirements. This checklist outlines key steps B2B SaaS Companies should take to ensure GDPR readiness.

Posted by Kevin Yun | August 4, 2023
10 Simple Steps to Achieving GDPR Compliance for Your Business
GDPR

10 Simple Steps to Achieving GDPR Compliance for Your Business

Since the European Union implemented the General Data Protection Regulation (GDPR) on May 25, 2018, it has become imperative for businesses worldwide to comply with the regulations.

Posted by Kevin Yun | April 3, 2023

Choose the easy way to become GDPR compliant

Start your 14-day free trial of ComplyDog today. No credit card required.

Try It Free ➔

Trusted by B2B SaaS businesses

Blink Growsurf Requestly Odown Wonderchat