Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

GDPR 101: The Ultimate Reference Guide (Listicle)

"The fines of GDPR non-compliance are big, but the reputational risk is a lot bigger."

As far as data protection laws are concerned, the General Data Protection Regulation (GDPR) continues to be the general barometer globally. Not only did it push businesses into taking the privacy of their users' data a lot more seriously, but it has also proven time and time again that non-compliance with it will not go unpunished, no matter how big you are. Just ask Facebook, Google, or Amazon.

GDPR's three fundamental pillars are:

  1. A data subject owns their own data and when it is shared with anyone else, it is only even on loan. Anyone interacting with that data must treat it as any loan of a valuable item.
  2. Personal data is defined as any data that on its own or in conjunction with other data, can identify an individual.
  3. If an organization has data it must always keep it safe from loss or change, and must not share it with others unless via a lawful basis and ensuring that the secondary system, person or organization also accepts and implements the same security and controls.

These three pillars underpin the whole power of GDPR - at all times data controllers, data processors and even data subjects themselves need to keep these in mind and many questions about the regulation can be understood one these two pillars are considered in depth.

The GDPR's 99 articles are thorough and explain the rights and responsibilities of all concerned parties. However, navigating through the entire piece of legislation is a lot easier said than done. Hence, here are all the 99 articles along with a brief description of what each article entails to make comprehension easier:

General Provisions

  • Article 1 states and elaborates all the rules on processing personal data and the free movement of personal data to protect the fundamental rights and freedoms of data subjects and their right to protection of their personal data.
  • Article 2 of the GDPR deals with the material scope of the regulation, i.e., what sort of data is covered by the GDPR.
  • Article 3 of the GDPR deals with how the law applies to data controllers and data processors within the EU borders and outside the EU borders if they process the data of EU residents.
  • Article 4 contains all the essential definitions of crucial terms and terminologies used in the official GDPR text. In total, there are 26 definitions.


  • Article 5 requires that all personal data be processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; etc.
  • Article 6 lists all the six reasons that constitute a "lawful" reason for processing, i.e., the data subject has given proper consent, processing being necessary to perform a binding contractual agreement, etc.
  • Article 7 explains what constitutes consent and the responsibility of the data processor/controller to have elicited this consent without any external influence.
  • Article 8 illustrates all the conditions involved in gaining the consent of children (though the age of adulthood is defined by each country).
  • Article 9 prohibits the collection of a special category of personal data such as race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation unless the data subject gives explicit consent.
  • Article 10 prohibits data processing related to criminal convictions unless carried out by an official authority or authorized by an EU member state.
  • Article 11 states that a data controller/processor does not need to collect personal data to identify a data subject if the purpose of collecting the data does not require the data subject to be identified.

Data Subject Rights

  • Article 12 of the GDPR stipulates that a data controller must ensure that the data subject is well aware of their rights in an easily comprehensible language. Furthermore, the data controller must inform the data subject of any action they take when a data subject makes such a request.
  • Article 13 ensures that the data controller must inform the data subject if any data or information has been collected from them.
  • Article 14 guarantees a data subject is informed when any data or information is collected via any other source.
  • Article 15 gives data subjects the right to know who is processing their data and exactly what kind of data they've processed on them so far.
  • Article 16 allows the data subject to request changes to any data collected on them owing to it being obsolete, incorrect, or incomplete.
  • Article 17 allows a data subject to request any data controller to delete all data collected on them.
  • Article 18 gives data subjects the right to request any data controller to cease the processing of their data.
  • Article 19 ensures that whenever a data controller plans to delete or alter a data subject's data in any way, they must inform the data subject of this.
  • Article 20 guarantees that the data subject can request a copy of all data collected on them by one data controller be sent to another data controller in a machine-readable format.
  • Article 21 ensures that a data subject can object to having their data collected or processed for any reason.
  • Article 22 gives data subjects the right to opt-out of being subjected to any sort of automated decision-making as well as profiling.
  • Article 23 gives EU member states the legislative power to restrict the rights given to data subjects under Article 12 through Article 22 in exceptional circumstances.

Data Controller/Processor Responsibilities & Obligations

  • Article 24 of the GDPR states the numerous unprecedented responsibilities and obligations upon data controllers collecting or processing users' data.
  • Article 25 highlights one key responsibility, i.e., to ensure privacy by default mechanism across their data processing activities to ensure data subjects' rights are not violated by any means.
  • Article 26 lays down the responsibilities of all parties involved in data collected in case more than one data controller is involved.
  • Article 27 lays down the need for data controllers to ensure they have a public representative present within the EU jurisdiction if they are based outside the EU.
  • Article 28 deals with the responsibilities of a data processor appointed by a data controller to process and collect data on their behalf.
  • Article 29 ensures that a data processor can finally begin processing and collecting user data once they have express permission from the data controller. Before the data processor can move ahead with data collection, they must satisfy the protection requirements set by the GDPR.
  • Article 30 instructs all data processors and data controllers to categorically maintain a thorough record of all processing activities undertaken by them.
  • Article 31 requires all data controllers and data processors to cooperate fully with the regulatory authorities and assist them to their best ability.
  • Article 32 highlights the responsibility of data processors and data controllers to take appropriate security measures to ensure all data collected is stored properly and not subject to any risks.
  • Article 33 ensures that a data controller must notify the regulatory authorities within 72 hours unless there is sufficient proof that the breach is unlikely to put data subjects' data at risk. However, a data processor must inform the data controller of the breach immediately.
  • Article 34 requires the data controller to inform the data subjects immediately if there is a possibility of their data being at risk.
  • Article 35 requires a thorough data protection impact assessment to be carried out if a data processor or controller's data collection practices or mechanisms are likely to put data subjects at risk.
  • Article 36 states that the data controller needs to consult with the regulatory bodies if the impact assessment reveals a high likelihood of data subjects being at risk. The regulatory bodies must provide their advice within eight weeks of the consultation being made.
  • Article 37 requires all data controllers and data processors to hire a data protection officer (DPO) if data processing activities require consistent monitoring of data subjects.
  • Article 38 stipulates that the DPO must be involved in all decision-making related to data protection while also instructing data processors and data controllers not to interfere in the DPO's day-to-day functions.
  • Article 39 lays down all the responsibilities and tasks of the DPO within the organization.
  • Article 40 contains the necessary code of conduct to ensure the GDPR's application across the EU's jurisdiction accordingly.
  • Article 41 relates to a supervisory body responsible for ensuring and evaluating compliance with the GDPR's code of conduct.
  • Article 42 encourages the establishment of proper certification for those who fully comply with this code of conduct.
  • Article 43 deals with establishing certification bodies responsible for handing out these certificates.

Transfer of Personal Data Outside the EU Jurisdiction

  • Article 44 lays down the general conditions that data processors and controllers must meet before any transfer occurs.
  • Article 45 deals with which jurisdictions are considered safe for the data processed and collected within the EU to be transferred to without additional controls (EU, EEA, and those countries defined as “adequate” as published by the EU).
  • Article 46 allows data to be transferred to another country outside the EU jurisdiction if it has provided appropriate guarantees of safeguard for the data being transferred.
  • Article 47 deals with the provisions if the transfer of data is required due to a binding agreement.
  • Article 48 stipulates that any decisions related to the transfer of data in the third country can only be enforced if it is based on an international agreement.
  • Article 49 deals with the additional requirements in case the conditions in Article 45 are not met.
  • Article 50 encourages cooperation between the regulatory bodies of third countries and international organizations.

Supervisory Authority

  • Article 51 requires all EU member countries to establish their own regulatory authority to enforce the GDPR within their national borders.
  • Article 52 grants the regulatory authorities a certain degree of autonomy, while Article 53 lays down the criteria for members of the regulatory authority.
  • Article 53 requires all member states to establish a regulatory authority while highlighting their responsibilities and other operational affairs.
  • Article 54 highlights the need for the regulatory authority to be qualified and competent in their duty.
  • Article 55 highlights the importance of the regulatory authority to have the required competency.
  • Article 56 focuses on the importance of the regulatory authority's head to have the required credentials and competence to lead the body.
  • Article 57 lays down all the other responsibilities of the regulatory authorities.
  • Article 58 states what powers the regulatory authority must have.
  • Article 59 requires all regulatory authorities to produce an annual performance report available to the public.
  • Article 60 highlights the responsibility of regulatory authorities across the EU to co-operate with one another.
  • Article 61 urges all regulatory authorities to provide support and assistance to one another.
  • Article 62 delves into how regulatory authorities can conduct joint operations.
  • Article 63 requires all regulatory authorities to maintain consistent communication with one another.
  • Article 64 stipulates the responsibility of the regulatory bodies to take the advice and recommendations of their respective Boards onboard.
  • Article 65 allows the Board to step in and resolve any disputes within the regulatory body.
  • Article 66 allows regulatory authorities to undertake provisional measures that cannot exceed three months in extraordinary circumstances.
  • Article 67 stipulates establishing procedures to facilitate the communication of information between regulatory bodies.
  • Article 68 requires each member state to nominate one member to the European Data Protection Board (EDPB).
  • Article 69 urges the EDPB to be independent while performing its tasks.
  • Article 70 specifies the tasks that must be fulfilled by the EDPB.
  • Article 71 requires the EDPB to publish an annual public performance report.
  • Article 72 ensures that all EDPB's decisions must be via a two-thirds majority vote.
  • Article 73 lays down the membership structure of the Board, including their terms.
  • Article 74 states the responsibilities of the chairman of the EDPB.
  • Article 75 lays down the responsibility of the EDPB's supervisor to appoint a Secretariat responsible for carrying out tasks assigned by the chairman.
  • Article 76 stipulates that all of the EDPB's discussions will remain confidential.


  • Article 77 gives data subjects the right to lodge an official complaint with the regulatory authority.
  • Article 78 gives data subjects the right to appeal a regulatory authority's decision in a court of law.
  • Article 79 ensures that data subjects have the right to seek a judicial remedy if they believe a data controller/processor has violated their rights.
  • Article 80 allows a data subject to delegate their right to seek a judicial remedy against a data controller/processor to a regulatory authority.
  • Article 81 allows a court in any EU member country to suspend proceedings on a case on a subject once they realize similar proceedings are underway in another EU member country on the same matter.
  • Article 82 ensures that all data subjects have a right to seek financial compensation from a data controller, data processor, or both in case they are proven to have suffered damage due to the data controller/processor being in breach of the GDPR's provisions. Conditions for the award of compensation are described in Article 83.
  • Article 83 lays down the general conditions for imposing administrative fines by the data regulatory authorities.
  • Article 84 deals with how penalties are dealt with in case of non-compliance by a data controller or data processor.

Provisions Regarding Data Processing

  • Article 85 stipulates that all member nations must ensure the freedom of expression and information while guaranteeing data protection online.
  • Article 86 extends this responsibility to ensure the freedom of expression and information while guaranteeing data protection online to official documents.
  • Article 87 extends this protection to national identification numbers.
  • Article 88 deals with the responsibility of organizations to protect their employees' personal data.
  • Article 89 deals with the conditions that need to be fulfilled if data needs to be archived.
  • Article 90 states the responsibility of the regulatory bodies to elicit data processors '/controllers' secrecy in case of archiving data related to the public interest, scientific/historical research, or statistical reasons.
  • Article 91 deals with the responsibility of the Church and other religious organizations in coming up with their own rules and procedures in line with the GDPR provisions to protect their members' data.
  • Article 92 states that the European Parliament can take away the delegation of power given to these regulatory bodies and the Commission in their respective countries at any time.
  • Article 93 states that a committee will assist the Commission at all times during their operation.

Relations To Previous Agreements

  • Article 94 repeals the old data processing law, better known as Directive 95/46/EC.
  • Article 95 deals with the GDPR's relationship to Directive 2002/58/EC.
  • Article 96 deals with the GDPR's relationship with international agreements involving the transfer of data to third countries or organizations that were setup before 24 May 2016.

Final Provisions

  • Article 97 requires the Commission to produce a report on the performance of the GDPR to the European Parliament every four years.
  • Article 98 allows the Commission to recommend changes to the GDPR in this report.
  • Article 99 states that the GDPR will come into effect from 25 May 2018.

How Securiti Can Help

The GDPR changed the way the world looked at data protection. It is by far the most crucial reason why the GDPR remains the gold standard for other data protection regulations globally. It strikes the perfect balance between guaranteeing users' adequate privacy and data protection online without restricting websites in their daily customer acquisition tasks too much.

Considering just how important it is to comply with the GDPR provisions if a business wants to cater to EU-based customers, automation is the most effective and efficient way to achieve this. It makes complete sense once you factor in the sheer amount of data involved.

Securiti is a global leader in data privacy management solutions. Thanks to its PrivacyOps framework that relies on artificial intelligence and machine learning, it can help any business achieve compliance at the click of a single button.

Request a demo today and see how Securiti's tools can help you today.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox




Securiti PrivacyOps Named a Leader in The Forrester WaveTM