Article 1. Subject-matter and objectives string(14) "Material scope"
Article 2. Material scope string(17) "Territorial scope"
Article 3. Territorial scope string(11) "Definitions"
Article 4. Definitions string(50) "Principles relating to processing of personal data"
Article 5. Principles relating to processing of personal data string(24) "Lawfulness of processing"
Article 6. Lawfulness of processing string(22) "Conditions for consent"
Article 7. Conditions for consent string(84) "Conditions applicable to child's consent in relation to information society services"
Article 8. Conditions applicable to child's consent in relation to information society services string(49) "Processing of special categories of personal data"
Article 9. Processing of special categories of personal data string(73) "Processing of personal data relating to criminal convictions and offences"
Article 10. Processing of personal data relating to criminal convictions and offences string(48) "Processing which does not require identification"
Article 11. Processing which does not require identification string(104) "Transparent information, communication and modalities for the exercise of the rights of the data subject"
Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject string(82) "Information to be provided where personal data are collected from the data subject"
Article 13. Information to be provided where personal data are collected from the data subject string(91) "Information to be provided where personal data have not been obtained from the data subject"
Article 14. Information to be provided where personal data have not been obtained from the data subject string(35) "Right of access by the data subject"
Article 15. Right of access by the data subject string(22) "Right to rectification"
Article 16. Right to rectification string(46) "Right to erasure (‘right to be forgotten’)"
Article 17. Right to erasure (‘right to be forgotten’) string(34) "Right to restriction of processing"
Article 18. Right to restriction of processing string(104) "Notification obligation regarding rectification or erasure of personal data or restriction of processing"
Article 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing string(25) "Right to data portability"
Article 20. Right to data portability string(15) "Right to object"
Article 21. Right to object string(57) "Automated individual decision-making, including profiling"
Article 22. Automated individual decision-making, including profiling string(12) "Restrictions"
Article 23. Restrictions string(29) "Subject-matter and objectives"
Article 24. Subject-matter and objectives string(40) "Data protection by design and by default"
Article 25. Data protection by design and by default string(17) "Joint controllers"
Article 26. Joint controllers string(73) "Representatives of controllers or processors not established in the Union"
Article 27. Representatives of controllers or processors not established in the Union string(9) "Processor"
Article 28. Processor string(61) "Processing under the authority of the controller or processor"
Article 29. Processing under the authority of the controller or processor string(32) "Records of processing activities"
Article 30. Records of processing activities string(42) "Cooperation with the supervisory authority"
Article 31. Cooperation with the supervisory authority string(22) "Security of processing"
Article 32. Security of processing string(67) "Notification of a personal data breach to the supervisory authority"
Article 33. Notification of a personal data breach to the supervisory authority string(59) "Communication of a personal data breach to the data subject"
Article 34. Communication of a personal data breach to the data subject string(33) "Data protection impact assessment"
Article 35. Data protection impact assessment string(18) "Prior consultation"
Article 36. Prior consultation string(42) "Designation of the data protection officer"
Article 37. Designation of the data protection officer string(39) "Position of the data protection officer"
Article 38. Position of the data protection officer string(36) "Tasks of the data protection officer"
Article 39. Tasks of the data protection officer string(16) "Codes of conduct"
Article 40. Codes of conduct string(39) "Monitoring of approved codes of conduct"
Article 41. Monitoring of approved codes of conduct string(13) "Certification"
Article 42. Certification string(20) "Certification bodies"
Article 43. Certification bodies string(31) "General principle for transfers"
Article 44. General principle for transfers string(46) "Transfers on the basis of an adequacy decision"
Article 45. Transfers on the basis of an adequacy decision string(43) "Transfers subject to appropriate safeguards"
Article 46. Transfers subject to appropriate safeguards string(23) "Binding corporate rules"
Article 47. Binding corporate rules string(52) "Transfers or disclosures not authorised by Union law"
Article 48. Transfers or disclosures not authorised by Union law string(35) "Derogations for specific situations"
Article 49. Derogations for specific situations string(61) "International cooperation for the protection of personal data"
Article 50. International cooperation for the protection of personal data string(21) "Supervisory authority"
Article 51. Supervisory authority string(12) "Independence"
Article 52. Independence string(63) "General conditions for the members of the supervisory authority"
Article 53. General conditions for the members of the supervisory authority string(55) "Rules on the establishment of the supervisory authority"
Article 54. Rules on the establishment of the supervisory authority string(10) "Competence"
Article 55. Competence string(44) "Competence of the lead supervisory authority"
Article 56. Competence of the lead supervisory authority string(5) "Tasks"
Article 57. Tasks string(6) "Powers"
Article 58. Powers string(16) "Activity reports"
Article 59. Activity reports string(98) "Cooperation between the lead supervisory authority and the other supervisory authorities concerned"
Article 60. Cooperation between the lead supervisory authority and the other supervisory authorities concerned string(17) "Mutual assistance"
Article 61. Mutual assistance string(43) "Joint operations of supervisory authorities"
Article 62. Joint operations of supervisory authorities string(21) "Consistency mechanism"
Article 63. Consistency mechanism string(20) "Opinion of the Board"
Article 64. Opinion of the Board string(31) "Dispute resolution by the Board"
Article 65. Dispute resolution by the Board string(17) "Urgency procedure"
Article 66. Urgency procedure string(23) "Exchange of information"
Article 67. Exchange of information string(30) "European Data Protection Board"
Article 68. European Data Protection Board string(12) "Independence"
Article 69. Independence string(18) "Tasks of the Board"
Article 70. Tasks of the Board string(7) "Reports"
Article 71. Reports string(9) "Procedure"
Article 72. Procedure string(5) "Chair"
Article 73. Chair string(18) "Tasks of the Chair"
Article 74. Tasks of the Chair string(11) "Secretariat"
Article 75. Secretariat string(15) "Confidentiality"
Article 76. Confidentiality string(55) "Right to lodge a complaint with a supervisory authority"
Article 77. Right to lodge a complaint with a supervisory authority string(69) "Right to an effective judicial remedy against a supervisory authority"
Article 78. Right to an effective judicial remedy against a supervisory authority string(71) "Right to an effective judicial remedy against a controller or processor"
Article 79. Right to an effective judicial remedy against a controller or processor string(31) "Representation of data subjects"
Article 80. Representation of data subjects string(25) "Suspension of proceedings"
Article 81. Suspension of proceedings string(35) "Right to compensation and liability"
Article 82. Right to compensation and liability string(52) "General conditions for imposing administrative fines"
Article 83. General conditions for imposing administrative fines string(9) "Penalties"
Article 84. Penalties string(52) "Processing and freedom of expression and information"
Article 85. Processing and freedom of expression and information string(50) "Processing and public access to official documents"
Article 86. Processing and public access to official documents string(48) "Processing of the national identification number"
Article 87. Processing of the national identification number string(39) "Processing in the context of employment"
Article 88. Processing in the context of employment string(163) "Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes"
Article 89. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes string(22) "Obligations of secrecy"
Article 90. Obligations of secrecy string(69) "Existing data protection rules of churches and religious associations"
Article 91. Existing data protection rules of churches and religious associations string(26) "Exercise of the delegation"
Article 92. Exercise of the delegation string(19) "Committee procedure"
Article 93. Committee procedure string(28) "Repeal of Directive 95/46/EC"
Article 94. Repeal of Directive 95/46/EC string(38) "Relationship with Directive 2002/58/EC"
Article 95. Relationship with Directive 2002/58/EC string(49) "Relationship with previously concluded Agreements"
Article 96. Relationship with previously concluded Agreements string(18) "Commission reports"
Article 97. Commission reports string(51) "Review of other Union legal acts on data protection"
Article 98. Review of other Union legal acts on data protection string(32) "Entry into force and application"
Article 99. Entry into force and application string(0) ""
Recital 1 string(0) ""
Recital 2 string(8) "M SCHULZ"
Recital 3 string(0) ""
Recital 4 string(0) ""
Recital 5 string(0) ""
Recital 6 string(0) ""
Recital 7 string(0) ""
Recital 8 string(0) ""
Recital 9 string(0) ""
Recital 10 string(0) ""
Recital 11 string(0) ""
Recital 12 string(15) "For the Council"
Recital 13 string(0) ""
Recital 14 string(0) ""
Recital 15 string(0) ""
Recital 16 string(13) "The President"
Recital 17 string(0) ""
Recital 18 string(21) "JA HENNIS-PLASSCHAERT"
Recital 19 string(0) ""
Recital 20 string(0) ""
Recital 21 string(0) ""
Recital 22 string(0) ""
Recital 23 string(0) ""
Recital 24 string(0) ""
Recital 25 string(0) ""
Recital 26 string(0) ""
Recital 27 string(0) ""
Recital 28 string(0) ""
Recital 29 string(0) ""
Recital 30 string(0) ""
Recital 31 string(0) ""
Recital 32 string(0) ""
Recital 33 string(0) ""
Recital 34 string(0) ""
Recital 35 string(0) ""
Recital 36 string(0) ""
Recital 37 string(0) ""
Recital 38 string(0) ""
Recital 39 string(0) ""
Recital 40 string(0) ""
Recital 41 string(0) ""
Recital 42 string(0) ""
Recital 43 string(0) ""
Recital 44 string(0) ""
Recital 45 string(0) ""
Recital 46 string(0) ""
Recital 47 string(0) ""
Recital 48 string(0) ""
Recital 49 string(0) ""
Recital 50 string(0) ""
Recital 51 string(0) ""
Recital 52 string(0) ""
Recital 53 string(0) ""
Recital 54 string(0) ""
Recital 55 string(0) ""
Recital 56 string(0) ""
Recital 57 string(0) ""
Recital 58 string(0) ""
Recital 59 string(0) ""
Recital 60 string(0) ""
Recital 61 string(0) ""
Recital 62 string(0) ""
Recital 63 string(0) ""
Recital 64 string(0) ""
Recital 65 string(0) ""
Recital 66 string(0) ""
Recital 67 string(0) ""
Recital 68 string(0) ""
Recital 69 string(0) ""
Recital 70 string(0) ""
Recital 71 string(0) ""
Recital 72 string(0) ""
Recital 73 string(0) ""
Recital 74 string(0) ""
Recital 75 string(0) ""
Recital 76 string(0) ""
Recital 77 string(0) ""
Recital 78 string(0) ""
Recital 79 string(0) ""
Recital 80 string(0) ""
Recital 81 string(0) ""
Recital 82 string(0) ""
Recital 83 string(0) ""
Recital 84 string(0) ""
Recital 85 string(0) ""
Recital 86 string(0) ""
Recital 87 string(0) ""
Recital 88 string(0) ""
Recital 89 string(0) ""
Recital 90 string(0) ""
Recital 91 string(0) ""
Recital 92 string(0) ""
Recital 93 string(0) ""
Recital 94 string(0) ""
Recital 95 string(0) ""
Recital 96 string(0) ""
Recital 97 string(0) ""
Recital 98 string(0) ""
Recital 99 string(0) ""
Recital 100 string(0) ""
Recital 101 string(0) ""
Recital 102 string(0) ""
Recital 103 string(0) ""
Recital 104 string(0) ""
Recital 105 string(0) ""
Recital 106 string(0) ""
Recital 107 string(0) ""
Recital 108 string(0) ""
Recital 109 string(0) ""
Recital 110 string(0) ""
Recital 111 string(0) ""
Recital 112 string(0) ""
Recital 113 string(0) ""
Recital 114 string(0) ""
Recital 115 string(0) ""
Recital 116 string(0) ""
Recital 117 string(0) ""
Recital 118 string(0) ""
Recital 119 string(0) ""
Recital 126 string(0) ""
Recital 127 string(0) ""
Recital 128 string(0) ""
Recital 129 string(0) ""
Recital 130 string(0) ""
Recital 131 string(0) ""
Recital 132 string(0) ""
Recital 133 string(0) ""
Recital 134 string(0) ""
Recital 135 string(0) ""
Recital 136 string(0) ""
Recital 137 string(0) ""
Recital 138 string(0) ""
Recital 139 string(0) ""
Recital 140 string(0) ""
Recital 141 string(0) ""
Recital 142 string(0) ""
Recital 120 string(0) ""
Recital 121 string(0) ""
Recital 122 string(0) ""
Recital 123 string(0) ""
Recital 124 string(0) ""
Recital 125 string(0) ""
Recital 143 string(0) ""
Recital 144 string(0) ""
Recital 145 string(0) ""
Recital 146 string(0) ""
Recital 147 string(0) ""
Recital 148 string(0) ""
Recital 149 string(0) ""
Recital 150 string(0) ""
Recital 151 string(0) ""
Recital 152 string(0) ""
Recital 153 string(0) ""
Recital 154 string(0) ""
Recital 155 string(0) ""
Recital 156 string(0) ""
Recital 157 string(0) ""
Recital 158 string(0) ""
Recital 159 string(0) ""
Recital 160 string(0) ""
Recital 161 string(0) ""
Recital 162 string(0) ""
Recital 163 string(0) ""
Recital 164 string(0) ""
Recital 165 string(0) ""
Recital 166 string(0) ""
Recital 167 string(0) ""
Recital 168 string(0) ""
Recital 169 string(0) ""
Recital 170 string(0) ""
Recital 171 string(0) ""
Recital 172 string(0) ""
Recital 173
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 29 GDPR:
8.2.2 Organization’s purposes
Control
The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
Implementation guidance
The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.
In order to achieve the customer’s purpose, there can be technical reasons why it is appropriate for the organization to determine the method for processing PII, consistent with the general instructions of the customer but without the customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it can be necessary to allocate specific processing resources depending on certain characteristics of the PII principal.
The organization should allow the customer to verify their compliance with the purpose specification and limitation principles. This also ensures that no PII is processed by the organization or any of its subcontractors for other purposes than those expressed in the documented instructions of the customer.