Appendix A

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 161-315

161

APPENDIX A

text of tHe GDpR

Table of Contents289

(Cross-references to relevant recitals are in parentheses)

CHAPTER I—General provisions

Article 1—Subject-matter and objectives (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)

Article 2—Material scope (14, 15, 16, 17, 18, 19, 20, 21)

Article 3—Territorial scope (22, 23, 24, 25)

Article 4—Denitions (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)

CHAPTER II—Principles

Article 5—Principles relating to processing of personal data (39)

Article 6—Lawfulness of processing (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 155)

Article 7—Conditions for consent (32, 33, 42, 43)

Article 8— Conditions applicable to child’s consent in relation to information

society services (38)

Article 9— Processing of special categories of personal data (51, 52, 53, 54,

55, 56)

Article 10— Processing of personal data relating to criminal convictions and

offences

Article 11—Processing which does not require identication (57)

CHAPTER III—Rights of the data subject

Section 1—Transparency and modalities

Article 12— Transparent information, communication and modalities for the

exercise of the rights of the data subject (58, 59)

Section 2—Information and access to personal data

Article 13— Information to be provided where personal data are collected

from the data subject (60, 61, 62)

Article 14— Information to be provided where personal data have not been

obtained from the data subject

Article 15—Right of access by the data subject (63, 64)

289. Table of contents and cross-reference to recitals were drafted by SecureDataService ©

and have been reprinted here by permission.

162T HE EU GENERAL DATA PROTECTION REGUL ATION (GDPR)

Section 3—Rectification and erasure

Article 16—Right to rectication (65)

Article 17—Right to erasure (‘right to be forgotten’) (65, 66)

Article 18—Right to restriction of processing (67)

Article 19— Notication obligation regarding rectication or erasure of per-

sonal data or restriction of processing

Article 20—Right to data portability (68)

Section 4—Right to object and automated

individual decision-making

Article 21—Right to object (69, 70)

Article 22—Automated individual decision-making, including proling (71, 72)

Section 5—Restrictions

Article 23—Restrictions (73)

CHAPTER IV—Controller and processor

Section 1—General obligations

Article 24—Responsibility of the controller (74, 75, 76, 77, 83)

Article 25—Data protection by design and by default (78)

Article 26—Joint controllers (79)

Article 27— Representatives of controllers or processors not established in

the Union (80)

Article 28—Processor (81)

Article 29—Processing under the authority of the controller or processor

Article 30—Records of processing activities (13, 39, 82)

Article 31—Cooperation with the supervisory authority

Section 2—Security of personal data

Article 32—Security of processing (74, 75, 76, 77, 83)

Article 33— Notication of a personal data breach to the supervisory author-

ity (75, 85, 87, 88)

Article 34— Communication of a personal data breach to the data subject (75,

86, 87, 88)

APPENDIX A  163

Section 3—Data protection impact assessment and

prior consultation

Article 35—Data protection impact assessment (75, 84, 89, 90, 91, 92, 93)

Article 36—Prior consultation (94, 95, 96)

Section 4—Data protection officer

Article 37—Designation of the data protection ofcer (97)

Article 38—Position of the data protection ofcer (97)

Article 39—Tasks of the data protection ofcer (97)

Section 5—Codes of conduct and certification

Article 40—Codes of conduct (98, 99)

Article 41—Monitoring of approved codes of conduct

Article 42—Certication (100)

Article 43—Certication bodies

CHAPTER V—Transfers of personal data to third

countries or international organisations

Article 44—General principle for transfers (101, 102)

Article 45—Transfers on the basis of an adequacy decision (103, 104, 105, 106, 107)

Article 46—Transfers subject to appropriate safeguards (108, 109)

Article 47—Binding corporate rules (110)

Article 48—Transfers or disclosures not authorised by Union law

Article 49—Derogations for specic situations (111, 112, 113, 114, 115, 116)

Article 50—International cooperation for the protection of personal data

CHAPTER VI—Independent supervisory authorities

Section 1—Independent status

Article 51—Supervisory authority (117, 118, 119)

Article 52—Independence (118, 120)

Article 53— General conditions for the members of the supervisory authority

(121)

Article 54—Rules on the establishment of the supervisory authority

Section 2—Competence, tasks and powers

Article 55—Competence (122)

Article 56— Competence of the lead supervisory authority (124, 125, 126, 127, 128)