Version status: Applicable | Document consolidation status: No known changes

Published date: 21 November 2018

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance)

	Recitals
	Chapter I General provisions (arts. 1-3)
	Article 1 Subject matter and objectives
	Article 2 Scope
	Article 3 Definitions
	Chapter II General principles (arts. 4-13)
	Article 4 Principles relating to processing of personal data
	Article 5 Lawfulness of processing
	Article 6 Processing for another compatible purpose
	Article 7 Conditions for consent
	Article 8 Conditions applicable to a child's consent in relation to information society services
	Article 9 Transmissions of personal data to recipients established in the Union other than Union institutions and bodies
	Article 10 Processing of special categories of personal data
	Article 11 Processing of personal data relating to criminal convictions and offences
	Article 12 Processing which does not require identification
	Article 13 Safeguards relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
	Chapter III Richts of the data subject (arts. 14-25)
	Section 1 Transparency and modalities (art. 14)
	Article 14 Transparent information, communication and modalities for the exercise of the rights of the data subject
	Section 2 Information and access to personal data (arts. 15-17)
	Article 15 Information to be provided where personal data are collected from the data subject
	Article 16 Information to be provided where personal data have not been obtained from the data subject
	Article 17 Right of access by the data subject
	Section 3 Rectification and erasure (arts. 18-22)
	Article 18 Right to rectification
	Article 19 Right to erasure ('right to be forgotten')
	Article 20 Right to restriction of processing
	Article 21 Notification obligation regarding rectification or erasure of personal data or restriction of processing
	Article 22 Right to data portability
	Section 4 Right to object and automated individual decision-making (arts. 23-24)
	Article 23 Right to object
	Article 24 Automated individual decision-making, including profiling
	Section 5 Restrictions (art. 25)
	Article 25 Restrictions
	Chapter IV Controller and processor (arts. 26-45)
	Section 1 General obligations (arts. 26-32)
	Article 26 Responsibility of the controller
	Article 27 Data protection by design and by default
	Article 28 Joint controllers
	Article 29 Processor
	Article 30 Processing under the authority of the controller or processor
	Article 31 Records of processing activities
	Article 32 Cooperation with the European Data Protection Supervisor
	Section 2 Security of personal data (arts. 33-35)
	Article 33 Security of processing
	Article 34 Notification of a personal data breach to the European Data Protection Supervisor
	Article 35 Communication of a personal data breach to the data subject
	Section 3 Confidentiality of electronic communications (arts. 36-38)
	Article 36 Confidentiality of electronic communications
	Article 37 Protection of information transmitted to, stored in, related to, processed by and collected from users' terminal equipment
	Article 38 Directories of users
	Section 4 Data protection impact assessment and prior consultation (arts. 39-40)
	Article 39 Data protection impact assessment
	Article 40 Prior consultation
	Section 5 Information and legislative consultation (arts. 41-42)
	Article 41 Information and consultation
	Article 42 Legislative consultation
	Section 6 Data protection officer (arts. 43-45)
	Article 43 Designation of the data protection officer
	Article 44 Position of the data protection officer
	Article 45 Tasks of the data protection officer
	Chapter V Transfers of personal data to third countries or international organisations (arts. 46-51)
	Article 46 General principle for transfers
	Article 47 Transfers on the basis of an adequacy decision
	Article 48 Transfers subject to appropriate safeguards
	Article 49 Transfers or disclosures not authorised by Union law
	Article 50 Derogations for specific situations
	Article 51 International cooperation for the protection of personal data
	Chapter VI European data protection supervisor (arts. 52-60)
	Article 52 European Data Protection Supervisor
	Article 53 Appointment of the European Data Protection Supervisor
	Article 54 Regulations and general conditions governing the performance of the European Data Protection Supervisor's duties, staff and financial resources
	Article 55 Independence
	Article 56 Professional secrecy
	Article 57 Tasks
	Article 58 Powers
	Article 59 Obligation of controllers and processors to react to allegations
	Article 60 Activities report
	Chapter VII Cooperation and consistency (arts. 61-62)
	Article 61 Cooperation between the European Data Protection Supervisor and national supervisory authorities
	Article 62 Coordinated supervision by the European Data Protection Supervisor and national supervisory authorities
	Chapter VIII Remedies, liability and penalties (arts. 63-69)
	Article 63 Right to lodge a complaint with the European Data Protection Supervisor
	Article 64 Right to an effective judicial remedy
	Article 65 Right to compensation
	Article 66 Administrative fines
	Article 67 Representation of data subjects
	Article 68 Complaints by Union staff
	Article 69 Sanctions
	Chapter IX Processing of operational personal data by union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU (arts. 70-95)
	Article 70 Scope of the Chapter
	Article 71 Principles relating to processing of operational personal data
	Article 72 Lawfulness of processing of operational personal data
	Article 73 Distinction between different categories of data subjects
	Article 74 Distinction between operational personal data and verification of the quality of operational personal data
	Article 75 Specific processing conditions
	Article 76 Processing of special categories of operational personal data
	Article 77 Automated individual decision-making, including profiling
	Article 78 Communication and modalities for exercising the rights of the data subject
	Article 79 Information to be made available or given to the data subject
	Article 80 Right of access by the data subject
	Article 81 Limitations to the right of access
	Article 82 Right to rectification or erasure of operational personal data and restriction of processing
	Article 83 Right of access in criminal investigations and proceedings
	Article 84 Exercise of rights by the data subject and verification by the European Data Protection Supervisor
	Article 85 Data protection by design and by default
	Article 86 Joint controllers
	Article 87 Processor
	Article 88 Logging
	Article 89 Data protection impact assessment
	Article 90 Prior consultation of the European Data Protection Supervisor
	Article 91 Security of processing of operational personal data
	Article 92 Notification of a personal data breach to the European Data Protection Supervisor
	Article 93 Communication of a personal data breach to the data subject
	Article 94 Transfer of operational personal data to third countries and international organisations
	Article 95 Secrecy of judicial inquiries and criminal proceedings
	Chapter X Implementing Acts (art. 96)
	Article 96 Committee procedure
	Chapter XI Review (art. 97-98)
	Article 97 Review clause
	Article 98 Review of Union legal acts
	Chapter XII Final provisions (arts. 99-101)
	Article 99 Repeal of Regulation (EC) No 45/2001 and of Decision No 1247/2002/EC
	Article 100 Transitional measures
	Article 101 Entry into force and application
	Done at