With the increase in the use of data-driven technologies and volumes of data an organization collects and processes, there has been a growing “data privacy” concern. The General Data Protection Regulation (GDPR) continues to be the most comprehensive law globally. It has also proven time, and again that non-compliance with it will not go unpunished.
The GDPR is based on the following fundamental data protection principles:
- Lawfulness, fairness, and transparency: organizations must process personal data lawfully and fairly. They must also keep data subjects informed of their data collecting and processing activities.
- Purpose limitation: organizations must not use personal data for a purpose other than originally collected unless there is a lawful basis.
- Data minimization: organizations must not collect unnecessary data.
- Accuracy: organizations must keep the data accurate.
- Storage limitation: organizations must not store the data for longer than it is required
- Integrity and confidentiality: organizations must ensure data security.
- Accountability: organizations must be able to demonstrate compliance with the requirements of the GDPR.
Data controllers and data processors need to keep these data protection principles in mind and ensure compliance.
 The GDPR’s 99 articles are thorough and explain the rights of data subjects and the responsibilities of organizations. However, navigating through the entire legislation is a lot easier said than done. Hence, here are all the 99 articles, along with a brief description of what each article entails to make comprehension easier:
General Provisions
- Article 1 states the general rule that the GDPR aims to protect fundamental rights and freedoms of natural persons in connection to their personal data and facilitates the free movement of personal data.
- Article 2 of the GDPR deals with the material scope of the regulation, i.e., what sort of data processing is covered by the GDPR. Accordingly, the GDPR applies to the processing of personal data wholly or partly by automated means or which form part of a filing system or are intended to form part of a filing system.
- Article 3 of the GDPR deals with how the law applies to organizations within the EU borders and outside the EU borders if they process the data of EU residents.
- Article 4 contains all the essential definitions of crucial terms and terminologies used in the official GDPR text. In total, there are 26 definitions.
Principles
- Article 5 requires that all personal data be processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; etc.
- Article 6 lists six lawful grounds for data processing. These include the data subject’s consent, the performance of a contract, compliance with a legal obligation, protection of vital interests of data subjects, the performance of a public task, and legitimate interests of the data controller.
- Article 7 provides for conditions of valid consent. Accordingly, organizations must be able to demonstrate that the data subject has consented where the data processing is based on the data subject’s consent.
- Article 8 illustrates all the conditions involved in gaining the consent of children (though each member state defines the age of adulthood).
- Article 9 provides for limited circumstances when the processing of sensitive personal data is permitted. Sensitive personal data includes data belonging to an individual’s race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation. Article 10 prohibits data processing related to criminal convictions unless carried out by an official authority or authorized by an EU member state, and appropriate safeguards are given to data subjects.
- Article 11 states that a data controller/processor does not need to collect additional personal data to identify a data subject if the purpose of collecting the data does not require the data subject to be identified.
Data Subject Rights
- Article 12 of the GDPR requires data controllers to provide information to data subjects relating to the processing of their personal data in a transparent, intelligible, and easily accessible form, and clear and plain language.
- Article 13 provides for information to be provided to the data subject where personal data is directly collected from the data subject Article 14 provides for information to be provided to the data subject where personal data is not collected from the data subject.
- Article 15 gives data subjects the right of access to personal data. The data subject’s right of access includes the right to obtain confirmation as to whether or not data is being processed and access to the personal data.
- Article 16 allows the data subject to request changes to any data collected on them owing to it being obsolete, incorrect, or incomplete.
- Article 17 allows a data subject to request the data controller to delete all data collected on them under certain circumstances.
- Article 18 gives data subjects the right to request the data controller to cease the processing of their data.
- Article 19 ensures that whenever the data controller plans to delete or alter a data subject's data, they must inform the data subject of this.
- Article 20 provides the data subject the right to receive the personal data in a structured, commonly used, and machine-readable format to be able to transmit data from one data controller to another.
- Article 21 provides a data subject the right to object to the processing of their personal data. This includes the right to withdraw consent where the processing is based on the data subject’s consent.
- Article 22 gives data subjects the right to opt out of being subjected to automated decision-making including profiling.
- Article 23 gives EU member states the legislative power to restrict the rights given to data subjects under Article 12 through Article 22.
Data Controller & Data Processor
- Article 24 of the GDPR requires data controllers to implement appropriate technical and organizational measures for the protection of personal data and ensure compliance with the GDPR.
- Article 25 emphasizes the principles of data protection by design and data protection by default.
- Article 26 lays down the responsibilities of all parties in case more than one data controller is involved.
- Article 27 lays down the requirement for data controllers to appoint an EU representative if they are based outside the EU. The appointment of a representative is not mandatory if data processing is occasional, does not include large-scale processing of special categories of personal data relating to criminal convictions and offenses, and is unlikely to result in a risk to the rights and freedoms of natural persons.
- Article 28 deals with the responsibilities of a data processor appointed by a data controller to process and collect data on their behalf.
- Article 29 emphasizes that a data processor must process the data on instructions from the data controller.
- Article 30 instructs all data processors and data controllers to categorically maintain a thorough record of all processing activities undertaken by them.
- Article 31 requires all data controllers and data processors to cooperate fully with the relevant regulatory authority.
- Article 32 highlights the responsibility of data processors and data controllers to take appropriate security measures to ensure all data collected is stored properly and not subject to any risks.
- Article 33 requires a data controller to notify any and all personal data breaches to the regulatory authority within 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- Article 34 requires the data controller to inform the data subjects of the personal data breach without undue delay if there is a possibility of high risk to the rights and freedoms of data subjects.
- Article 35 requires a thorough data protection impact assessment to be carried out if a data processor or controller's data collection practices or mechanisms are likely to put data subjects at high risk.
- Article 36 states that the data controller needs to consult with the regulatory authority if the data protection impact assessment reveals that the processing would result in a high risk to data subjects in the absence of measures taken by the controller to mitigate the risk.
- Article 37 requires all data controllers and data processors to hire a data protection officer (DPO) if the core processing operations require regular and systematic monitoring of data subjects on a large scale or the core data processing activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
- Article 38 stipulates that the DPO must be involved in all issues related to data protection while also instructing that data processors and data controllers must ensure that the DPO's tasks and duties do not result in a conflict of interests.
- Article 39 lays down all the responsibilities and tasks of the DPO within the organization.
- Article 40 provides that member states, supervisory authorities, the board, and the Commission will encourage the drawing up codes of conduct for the proper application of the GDPR.
- Article 41 provides provisions related to the monitoring of approved codes of conduct that will be carried out by a body having an appropriate level of expertise on the subject matter. Article 42 encourages the establishment of data protection certification mechanisms for the purposes of demonstrating compliance with the GDPR.
- Article 43 contains provisions related to certification bodies responsible for issuing and renewing certifications.
Transfer of Personal Data Outside the EU Jurisdiction
- Article 44 lays down the general principle that data processors and controllers must meet conditions laid down in the GDPR for any cross-border data transfer.
- Article 45 allows cross-border data transfers to countries that ensure an adequate level of data protection. It lists down elements that the European Commission takes into account when assessing the adequacy of the level of protection offered by a country.
- Article 46 allows data to be transferred to another country outside the EU jurisdiction if it ensures an essentially equivalent level of data protection or if there are safeguards in place ensuring the same.
- Article 47 deals with binding corporate rules between the same group of enterprises engaged in a joint economic activity as one of the cross-border data transfer mechanisms. BCRs are required to be approved by the competent supervisory authority.
- Article 48 is about data transfers or disclosures that are not authorized by Union law.
- Article 49 deals with the derogations that can be used for cross-border data transfers in the absence of an adequacy decision and appropriate safeguards. These derogations can be used only in exceptional cases and non-repetitive data transfers.
- Article 50 talks about steps to be taken by the European Commission and supervisory authorities in connection to international cooperation for the protection of personal data.
Independent Supervisory Authorities
- Article 51 requires all EU member countries to establish their own regulatory authority to enforce the GDPR within their national borders.
- Article 52 grants the regulatory authorities a certain degree of autonomy in exercising powers in accordance with the GDPR.
- Article 53 requires all member states to establish a regulatory authority while highlighting their responsibilities and other operational affairs.
- Article 54 highlights rules on the establishment of the supervisory authority by a member state.
- Article 55 highlights the importance of the regulatory authority to be professionally and technically competent for the performance of its tasks.
- Article 56 deals with the competence of the lead regulatory authority. The lead supervisory body refers to the supervisory authority of the main establishment.
- Article 57 lays down all the responsibilities of the regulatory authorities.
- Article 58 states what powers the regulatory authority must have.
- Article 59 requires all regulatory authorities to produce an annual performance report available to the public.
- Article 60 highlights the responsibility of regulatory authorities across the EU to co-operate with one another.
- Article 61 urges all regulatory authorities to provide support and assistance to one another.
- Article 62 delves into how regulatory authorities can conduct joint operations.
- Article 63 requires all regulatory authorities to cooperate with each other for the consistent application of the GDPR.
- Article 64 stipulates the responsibility of the regulatory bodies to take the advice and recommendations of their respective Boards onboard.
- Article 65 lays down situations when the Board can adopt a binding decision for the correct and consistent application of the GDPR.
- Article 66 allows regulatory authorities to undertake provisional measures that cannot exceed three months in extraordinary circumstances in order to protect the rights and freedoms of data subjects.
- Article 67 stipulates establishing procedures to facilitate the communication of information by electronic means between regulatory bodies and the Board.
- Article 68 establishes the European Data Protection Board (EDPB) as a body of the European Union. The EDPB shall be composed of the head of one supervisory authority of each member state and of the European Data Protection Supervisor, or their respective representatives.
- Article 69 urges the EDPB to be independent while performing its tasks.
- Article 70 specifies the tasks that must be fulfilled by the EDPB.
- Article 71 requires the EDPB to publish an annual public report regarding the protection of natural persons.
- Article 72 ensures that all EDPB's decisions must be via a two-thirds majority vote.
- Article 73 lays down the membership structure of the Board and states that the term of office of the Chair and of the deputy chairs shall be five years and can be renewable. Article 74 states the responsibilities of the chairman of the EDPB.
- Article 75 deals with the appointment of a Secretariat responsible for providing analytical, administrative, and logistical support to the EDPB.
- Article 76 stipulates that all of the EDPB's discussions will remain confidential.
Remedies/Liabilities/Penalties
- Article 77 gives data subjects the right to lodge an official complaint with the regulatory authority.
- Article 78 gives data subjects the right to appeal a regulatory authority's decision in a court of law.
- Article 79 ensures that data subjects have the right to seek a judicial remedy if they believe a data controller/processor has violated their rights.
- Article 80 allows a data subject to delegate their right to a not-for-profit body in order to seek a judicial remedy against a data controller/processor before the regulatory authority.
- Article 81 allows a court in any EU member country to suspend proceedings on a case on a subject once they realize similar proceedings are pending in another EU member country on the same matter.
- Article 82 ensures that all data subjects have a right to seek financial compensation from a data controller, data processor, or both in case they are proven to have suffered damage due to the data controller/processor being in breach of the GDPR's provisions. Conditions for the award of compensation are described in Article 83.
- Article 83 lays down the general conditions for imposing administrative fines by the data regulatory authorities. The maximum fine that can be imposed under the GDPR is 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Article 84 deals with how penalties are dealt with in case of non-compliance by a data controller or data processor.
Provisions relating to specific processing situations
- Article 85 stipulates that all member nations must ensure the right to freedom of expression and information.
- Article 86 deals with the processing of personal data in official documents held by a public authority.
- Article 87 deals with the processing of national identification numbers.
- Article 88 allows member states to provide more specific rules for the protection of employees’ personal data.
- Article 89 deals with the conditions that need to be fulfilled if data needs to be archived in the public interest.
- Article 90 states that member states may set out specific rules in connection to the obligation of professional secrecy.
- Article 91 deals with the responsibility of the Church and other religious organizations in coming up with their own rules and procedures in line with the GDPR provisions to protect their members' data.
- Article 92 deals with the exercise of the delegation of power to the European Commission. It states that the European Parliament can take away the delegation of power given to regulatory bodies and the Commission in their respective countries for certain actions.
- Article 93 states that a committee will assist the Commission.
Relations To Previous Agreements
- Article 94 repeals the old data processing law, better known as Directive 95/46/EC.
- Article 95 deals with the GDPR's relationship to Directive 2002/58/EC.
- Article 96 deals with the GDPR’s relationship with international agreements involving the transfer of data to third countries or organizations that were set up before 24 May 2016.
Final Provisions
- Article 97 requires the Commission to produce a report on the review of the GDPR to the European Parliament every four years.
- Article 98 allows the Commission to recommend changes to the GDPR via legislative proposals
- Article 99 states that the GDPR comes into effect from 25 May 2018.
How Securiti Can Help
The GDPR changed the way the world looked at data protection.
Considering just how important it is to comply with the GDPR provisions if a business wants to cater to EU-based customers, automation is the most effective and efficient way to achieve this. It makes complete sense once you factor in the sheer amount of data involved.
Securiti is a global leader in data privacy management solutions. Thanks to its PrivacyOps framework that relies on artificial intelligence and machine learning, it can help any business achieve compliance at the click of a single button.
Request a demo today and see how Securiti's tools can help you today.