TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR EUR-Lex: How to Read the Official GDPR Legal Text
Legal Compliance

GDPR EUR-Lex: How to Read the Official GDPR Legal Text

Navigate the GDPR on EUR-Lex with this practical guide. Understand the official legal text structure, key articles, and how to use it for compliance.

TermsBox Team|April 3, 202613 min read

The GDPR EUR-Lex entry is the definitive source for the full text of the General Data Protection Regulation, the European Union's landmark data protection law. Whether you are a business owner assessing compliance obligations, a developer implementing privacy features, or a legal professional drafting data processing agreements, understanding how to navigate the official GDPR text on EUR-Lex is an essential skill.

This article explains the structure of the GDPR as published on EUR-Lex and highlights the provisions most relevant to businesses. It is educational content, not legal advice. Consult a qualified data protection attorney for guidance specific to your organisation.

What Is EUR-Lex?

EUR-Lex is the official online portal for European Union law. Maintained by the Publications Office of the European Union, it provides free public access to EU treaties, regulations, directives, decisions, and other legal instruments. All documents are published in the 24 official languages of the EU.

For any EU regulation, EUR-Lex is the only source that carries legal authority. The texts published in the Official Journal of the European Union (OJ), which EUR-Lex hosts digitally, are the versions that courts, regulators, and supervisory authorities treat as authoritative. Third-party websites that reproduce EU law may contain errors, omit corrigenda, or miss consolidated amendments.

The GDPR's formal citation on EUR-Lex is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Its CELEX number is 32016R0679.

Structure of the GDPR on EUR-Lex

The GDPR text on EUR-Lex follows a standard structure for EU regulations. Understanding this structure helps you locate specific provisions quickly and interpret them correctly.

Recitals (Preamble)

The GDPR begins with 173 recitals numbered (1) through (173). Recitals are not legally binding in themselves, but they provide essential context for interpreting the articles. EU courts regularly cite recitals when determining the intent behind specific provisions.

For example, Recital 26 clarifies the concept of "personal data" by explaining that anonymised data falls outside the regulation's scope, while pseudonymised data does not. Recital 47 provides guidance on when legitimate interest may serve as a lawful basis for processing, noting that direct marketing may qualify.

Chapters and Articles

The operative provisions of the GDPR are organised into 11 chapters containing 99 articles:

  1. Chapter I (Articles 1 to 4): General provisions, including subject matter, scope, and definitions
  2. Chapter II (Articles 5 to 11): Principles of data processing and conditions for consent
  3. Chapter III (Articles 12 to 23): Rights of data subjects
  4. Chapter IV (Articles 24 to 43): Controller and processor obligations
  5. Chapter V (Articles 44 to 50): International data transfers
  6. Chapter VI (Articles 51 to 59): Independent supervisory authorities
  7. Chapter VII (Articles 60 to 76): Cooperation and consistency mechanisms
  8. Chapter VIII (Articles 77 to 84): Remedies, liability, and penalties
  9. Chapter IX (Articles 85 to 91): Specific processing situations
  10. Chapter X (Articles 92 to 93): Delegated and implementing acts
  11. Chapter XI (Articles 94 to 99): Final provisions

Annexes and Corrigenda

EUR-Lex also hosts corrigenda, which are official corrections to errors in the published text. The GDPR has received several corrigenda since its original publication. Always use the "consolidated" version on EUR-Lex, which incorporates all corrections into a single clean text, rather than the original OJ version.

Key GDPR Articles Every Business Should Know

While all 99 articles contribute to the regulatory framework, certain provisions are particularly relevant for organisations that collect or process personal data.

Article 5: Principles of Processing

Article 5 establishes the seven foundational principles that govern all personal data processing:

  • Lawfulness, fairness, and transparency: processing must have a legal basis and be communicated clearly to data subjects
  • Purpose limitation: data must be collected for specified, explicit, and legitimate purposes
  • Data minimisation: only data that is adequate, relevant, and limited to what is necessary should be collected
  • Accuracy: personal data must be kept accurate and up to date
  • Storage limitation: data must not be kept longer than necessary for its purpose
  • Integrity and confidentiality: data must be processed with appropriate security measures
  • Accountability: the controller must be able to demonstrate compliance with all of these principles

Every other obligation in the GDPR flows from these principles. Your privacy policy should reflect how your organisation implements each one.

Article 6: Lawful Bases for Processing

Article 6 lists the six lawful bases that can legitimise personal data processing:

  1. Consent of the data subject
  2. Contractual necessity: processing is necessary for performance of a contract
  3. Legal obligation: processing is required by EU or member state law
  4. Vital interests: processing is necessary to protect someone's life
  5. Public interest: processing is necessary for a task in the public interest
  6. Legitimate interests: processing is necessary for the controller's or a third party's legitimate interests, balanced against the data subject's rights

Businesses most commonly rely on consent, contractual necessity, and legitimate interests. The chosen lawful basis must be identified and documented before processing begins, as Article 13 requires that data subjects be informed of the lawful basis at the time of collection.

Articles 13 and 14: Transparency Obligations

These articles specify exactly what information must be provided to data subjects when their personal data is collected. Article 13 applies when data is collected directly from the individual. Article 14 applies when data is obtained from other sources.

The required disclosures include the identity and contact details of the controller, the purposes and lawful basis for processing, the categories of personal data concerned, any recipients or categories of recipients, international transfer details, the retention period, and a full summary of data subject rights.

Articles 15 Through 22: Data Subject Rights

Chapter III of the GDPR grants individuals a suite of rights over their personal data:

  • Article 15: right of access (obtaining a copy of one's data)
  • Article 16: right to rectification (correcting inaccurate data)
  • Article 17: right to erasure ("right to be forgotten")
  • Article 18: right to restriction of processing
  • Article 20: right to data portability
  • Article 21: right to object to processing
  • Article 22: protection against solely automated decision-making

Organisations must be able to fulfil these rights within one month of receiving a request, as specified in Article 12(3). Having clear internal procedures and technical capabilities to locate, extract, correct, and delete personal data is not optional.

Article 32: Security of Processing

Article 32 requires both controllers and processors to implement technical and organisational measures appropriate to the risk. It explicitly mentions pseudonymisation, encryption, ongoing confidentiality assurance, resilience of systems, timely data restoration capabilities, and regular testing of security measures.

This article is deliberately technology-neutral. It does not prescribe specific tools or standards but requires a risk-based approach that accounts for the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

Articles 33 and 34: Breach Notification

When a personal data breach occurs, Article 33 requires notification to the supervisory authority within 72 hours unless the breach is unlikely to result in a risk to individuals. Article 34 requires direct notification to affected individuals when the breach is likely to result in a high risk to their rights and freedoms.

Article 83: Penalties

Article 83 establishes the GDPR's two-tier penalty framework:

  • Up to 10 million EUR or 2% of global annual turnover for infringements of controller and processor obligations, certification requirements, and monitoring body obligations
  • Up to 20 million EUR or 4% of global annual turnover for infringements of processing principles, lawful basis requirements, consent conditions, data subject rights, and international transfer provisions

Supervisory authorities have actively used these powers. Notable fines include the 1.2 billion EUR fine issued to Meta by the Irish Data Protection Commission in 2023 for unlawful international data transfers.

How to Use the GDPR EUR-Lex Text for Compliance

Reading the law is the first step. Translating it into practical compliance measures is where the real work begins.

Start with the Principles

Begin by mapping your data processing activities against the seven principles in Article 5. For each type of processing your organisation performs, document the lawful basis (Article 6), the data minimisation rationale, the retention period, and the security measures in place. This mapping forms the foundation of your Records of Processing Activities required by Article 30.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Cross-Reference Recitals with Articles

When an article's language is ambiguous, read the corresponding recitals. The recital numbers do not map one-to-one to article numbers, but EUR-Lex provides hyperlinked cross-references in the consolidated version. For example, when interpreting "legitimate interests" under Article 6(1)(f), Recitals 47 through 49 provide practical examples including fraud prevention, network security, and direct marketing.

Check National Implementing Legislation

The GDPR is a regulation (directly applicable in all member states), but it contains over 50 "opening clauses" that allow member states to specify or restrict certain provisions. Article 85 allows member states to reconcile data protection with freedom of expression. Article 88 allows specific rules for employee data processing.

If your organisation operates in specific EU countries, check whether national legislation modifies any GDPR provisions that affect your processing activities. EUR-Lex links to national transposition measures where they exist.

Track Regulatory Guidance

The European Data Protection Board (EDPB) publishes guidelines, recommendations, and opinions that interpret specific GDPR provisions. While not legally binding in the same way as the regulation itself, EDPB guidance is highly influential and is regularly cited by supervisory authorities in enforcement decisions. Check the EDPB website for guidance on topics relevant to your processing activities.

GDPR EUR-Lex and Website Compliance

Website operators face specific GDPR obligations that are addressed across multiple articles in the regulation.

Cookie Consent Requirements

While cookie consent is primarily governed by the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), the GDPR's consent requirements in Article 7 and Recital 32 set the standard for what constitutes valid consent. Consent must be freely given, specific, informed, and unambiguous, demonstrated by a clear affirmative action.

This means pre-ticked checkboxes, implied consent from continued browsing, and cookie walls that block access unless all cookies are accepted are not compliant. Your cookie consent mechanism must allow users to accept or reject specific categories of cookies before any non-essential cookies are set.

A cookie policy should complement your consent mechanism by explaining what cookies your site uses, their purposes, and their retention periods.

Privacy Notices

Articles 13 and 14 require comprehensive privacy notices that disclose your data processing practices. For websites, this translates to a clear, accessible privacy policy that covers all data collection points including contact forms, account registration, analytics, cookies, and any third-party integrations.

TermsBox provides a privacy policy generator that helps structure these disclosures according to the GDPR's Article 13 requirements, ensuring all mandatory information items are addressed.

International Transfers

If your website uses services hosted outside the European Economic Area (such as analytics platforms, CDNs, or payment processors based in the United States), Chapter V of the GDPR applies. Articles 44 through 49 require that international transfers are covered by an adequacy decision, appropriate safeguards such as Standard Contractual Clauses, or a specific derogation.

The EU-US Data Privacy Framework, adopted in July 2023, provides an adequacy mechanism for transfers to certified US organisations, but it applies only to companies that have self-certified under the framework.

Common Misunderstandings About the GDPR Text

Several widespread misconceptions about the GDPR persist, often because people rely on secondary sources rather than the EUR-Lex text itself.

"The GDPR Only Applies to EU Companies"

Article 3 establishes the GDPR's territorial scope, which is based on the location of data subjects, not the location of the organisation. Any organisation that offers goods or services to individuals in the EU or monitors their behaviour is subject to the GDPR, regardless of where the organisation is established.

"Consent Is Always Required"

Article 6 provides six lawful bases for processing. Consent is one option, but contractual necessity, legitimate interests, and legal obligations are equally valid depending on the context. Over-reliance on consent when another basis is more appropriate can actually create compliance problems, because consent can be withdrawn at any time under Article 7(3).

"The GDPR Bans Data Collection"

The GDPR does not prohibit data collection. It regulates how personal data is collected, processed, stored, and shared. Organisations that follow the principles in Article 5, establish a lawful basis under Article 6, and fulfil their transparency and security obligations can process personal data lawfully.

"Small Businesses Are Exempt"

The GDPR applies to all organisations that process personal data of individuals in the EU, regardless of size. Article 30(5) provides a limited exemption from record-keeping obligations for organisations with fewer than 250 employees, but only for processing that is occasional, low-risk, and does not involve special categories of data. In practice, most businesses do not qualify for even this narrow exemption.

Frequently Asked Questions

Where can I find the official GDPR text on EUR-Lex?

The official GDPR text is published on EUR-Lex at the document identifier CELEX 32016R0679. It is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. EUR-Lex provides the text in all 24 official EU languages, with the English version serving as the most commonly referenced in international compliance work.

Is the GDPR text on EUR-Lex legally binding?

Yes. EUR-Lex is the official publication platform of EU law, and the texts published there in the Official Journal of the European Union are the authoritative legal versions. Only the versions published in the Official Journal have legal force. Third-party summaries or unofficial copies may contain errors or omit amendments, so always verify against the EUR-Lex source.

How many articles does the GDPR contain?

The GDPR contains 99 articles organised across 11 chapters, plus 173 recitals in the preamble. The articles set out legally binding obligations, while the recitals provide context and interpretive guidance. Both are important for understanding how the regulation applies in practice.

What are the most important GDPR articles for businesses?

The most critical articles for businesses include Article 5 (data processing principles), Article 6 (lawful bases for processing), Article 13 and 14 (transparency and information obligations), Article 15 through 22 (data subject rights), Article 28 (processor obligations), Article 32 (security measures), Article 33 and 34 (breach notification), and Article 83 (penalty framework allowing fines up to 20 million EUR or 4% of global annual turnover).

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: Complete Guide to privacy.apple.com

Learn how to use Apple's data & privacy website to download, manage, and delete your personal data. Step-by-step guide to privacy.apple.com.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is EUR-Lex?
  • Structure of the GDPR on EUR-Lex
  • Recitals (Preamble)
  • Chapters and Articles
  • Annexes and Corrigenda
  • Key GDPR Articles Every Business Should Know
  • Article 5: Principles of Processing
  • Article 6: Lawful Bases for Processing
  • Articles 13 and 14: Transparency Obligations
  • Articles 15 Through 22: Data Subject Rights
  • Article 32: Security of Processing
  • Articles 33 and 34: Breach Notification
  • Article 83: Penalties
  • How to Use the GDPR EUR-Lex Text for Compliance
  • Start with the Principles
  • Cross-Reference Recitals with Articles
  • Check National Implementing Legislation
  • Track Regulatory Guidance
  • GDPR EUR-Lex and Website Compliance
  • Cookie Consent Requirements
  • Privacy Notices
  • International Transfers
  • Common Misunderstandings About the GDPR Text
  • "The GDPR Only Applies to EU Companies"
  • "Consent Is Always Required"
  • "The GDPR Bans Data Collection"
  • "Small Businesses Are Exempt"
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.