GDPR Text: Key Articles and What They Require
A practical breakdown of the GDPR text covering key articles, data subject rights, and what website owners must do to comply with each requirement.
The GDPR text is the foundational legal document governing data protection across the European Union and the European Economic Area. Formally known as Regulation (EU) 2016/679, the GDPR text defines the rules that every website collecting personal data from EU residents must follow, from how you obtain consent to how you respond when a user asks you to delete their information.
This guide breaks down the key provisions of the GDPR text into practical terms for website owners and business operators. This content is for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
Structure of the GDPR Text
The GDPR text is organized into 11 chapters containing 99 articles. It also includes 173 recitals, which are introductory paragraphs that provide context and interpretive guidance for the binding articles that follow. Understanding the structure helps you locate specific requirements when you need them.
The chapters are arranged as follows:
- Chapter I (Articles 1 to 4): General provisions, scope, and definitions
- Chapter II (Articles 5 to 11): Principles of data processing
- Chapter III (Articles 12 to 23): Rights of data subjects
- Chapter IV (Articles 24 to 43): Controller and processor obligations
- Chapter V (Articles 44 to 50): International data transfers
- Chapter VI (Articles 51 to 59): Supervisory authorities
- Chapter VII (Articles 60 to 76): Cooperation and consistency
- Chapter VIII (Articles 77 to 84): Remedies, liability, and penalties
- Chapter IX (Articles 85 to 91): Provisions for specific processing situations
- Chapter X (Articles 92 to 93): Delegated acts and implementing acts
- Chapter XI (Articles 94 to 99): Final provisions
For most website owners, Chapters II through V contain the provisions that directly affect day-to-day operations. The recitals are not legally binding on their own, but courts and supervisory authorities regularly cite them when interpreting ambiguous articles.
Core Principles in the GDPR Text
Article 5 of the GDPR text establishes seven principles that underpin every other obligation in the regulation. These principles are not abstract ideals. Supervisory authorities use them as the basis for enforcement decisions, and violations of these principles fall under the higher penalty tier of up to 20 million EUR or 4% of annual global turnover.
The seven principles are:
- Lawfulness, fairness, and transparency: You must have a valid legal basis for processing personal data, treat individuals fairly, and be open about what you do with their data.
- Purpose limitation: You may only collect data for specified, explicit, and legitimate purposes. Using data for a new purpose requires a separate legal basis or the individual's consent.
- Data minimization: Collect only the data that is adequate, relevant, and limited to what is necessary for the stated purpose.
- Accuracy: Keep personal data accurate and up to date. You must take reasonable steps to erase or rectify inaccurate data without delay.
- Storage limitation: Do not keep personal data in identifiable form for longer than necessary. Define and document retention periods.
- Integrity and confidentiality: Protect personal data against unauthorized access, loss, destruction, or damage using appropriate technical and organizational measures.
- Accountability: You must be able to demonstrate compliance with all of the above principles. Documentation, records, and policies are not optional.
The accountability principle, introduced in Article 5(2), is what distinguishes the GDPR from earlier data protection laws. It shifts the burden of proof: you do not simply avoid violations, you must actively demonstrate that you are compliant.
Lawful Bases for Processing Under the GDPR Text
Article 6 of the GDPR text defines six lawful bases for processing personal data. You must identify and document which basis applies before you begin processing. You cannot retroactively change your legal basis once processing has started.
The six lawful bases are:
- Consent (Article 6(1)(a)): The individual has given clear, affirmative consent to the processing for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous.
- Contract (Article 6(1)(b)): Processing is necessary for performing a contract with the individual or for taking steps at their request before entering a contract.
- Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation to which you are subject, such as tax reporting or employment law requirements.
- Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life. This basis is rarely applicable to standard website operations.
- Public interest (Article 6(1)(e)): Processing is necessary for performing a task carried out in the public interest or in the exercise of official authority. Primarily relevant to government bodies.
- Legitimate interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the individual's rights. Requires a documented balancing test.
For most websites, consent and legitimate interests are the two most commonly used bases. Consent is typically required for non-essential cookies, marketing emails, and tracking technologies. Legitimate interests may cover essential analytics, fraud prevention, and network security, but only after you conduct and document a legitimate interest assessment.
Special categories of data
Article 9 of the GDPR text imposes stricter rules on processing special categories of personal data, including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sexual orientation. Processing these categories is generally prohibited unless one of ten specific exceptions in Article 9(2) applies, such as explicit consent or substantial public interest.
Data Subject Rights in the GDPR Text
Chapter III of the GDPR text (Articles 12 to 23) establishes eight rights that individuals can exercise regarding their personal data. These rights are not theoretical. Under Article 12(3), you must respond to requests within one month, extendable by two additional months for complex cases.
Right to be informed (Articles 13 and 14)
When you collect personal data, you must provide specific information to the individual. Article 13 covers data collected directly from the individual, and Article 14 covers data obtained from other sources. The required disclosures include your identity, the purposes of processing, the legal basis, retention periods, and the individual's rights. Your privacy policy generator output should address these requirements.
Right of access (Article 15)
Individuals have the right to obtain confirmation of whether you are processing their data and, if so, to receive a copy of that data along with supplementary information about the processing.
Right to rectification (Article 16)
Individuals can require you to correct inaccurate personal data and to complete incomplete data.
Right to erasure (Article 17)
Also known as the "right to be forgotten," this right allows individuals to request deletion of their personal data under specific circumstances, including when the data is no longer necessary for its original purpose, when they withdraw consent, or when the data has been unlawfully processed. This right is not absolute. Article 17(3) lists exceptions, including compliance with legal obligations and the exercise of legal claims.
Right to restriction of processing (Article 18)
Individuals can request that you limit processing of their data in certain situations, such as when they contest its accuracy or when processing is unlawful but they prefer restriction over erasure.
Right to data portability (Article 20)
Where processing is based on consent or a contract and carried out by automated means, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
Right to object (Article 21)
Individuals can object to processing based on legitimate interests or public interest. For direct marketing, the right to object is absolute: you must stop processing immediately upon receiving an objection.
Rights related to automated decision-making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Exceptions exist for contractual necessity, legal authorization, and explicit consent.
Controller and Processor Obligations in the GDPR Text
Chapter IV of the GDPR text (Articles 24 to 43) sets out the responsibilities of data controllers and data processors. Understanding the distinction matters because your obligations differ depending on your role.
A controller determines the purposes and means of processing personal data. If you own a website and decide what data to collect and why, you are a controller. A processor processes data on behalf of a controller. Your hosting provider, email service, and analytics platform typically act as processors.
Data processing agreements
Article 28 requires controllers to have a written contract with each processor. This contract must specify the subject matter, duration, nature, and purpose of processing, the types of personal data involved, and the categories of data subjects. The processor must process data only on documented instructions from the controller.
Records of processing activities
Article 30 requires organizations with 250 or more employees to maintain records of processing activities. Organizations with fewer than 250 employees must also maintain records if the processing is not occasional, involves special categories of data, or is likely to result in a risk to individuals' rights.
Data protection impact assessments
Article 35 requires a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to individuals' rights and freedoms. This includes systematic monitoring of publicly accessible areas, large-scale processing of special categories of data, and automated decision-making with legal effects.
Data breach notification
Articles 33 and 34 establish breach notification obligations. You must notify your supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights. If the breach is likely to result in a high risk, you must also notify the affected individuals without undue delay.
Data protection officer
Articles 37 to 39 require certain organizations to appoint a Data Protection Officer (DPO). This is mandatory for public authorities, organizations whose core activities involve regular and systematic monitoring of individuals on a large scale, and organizations that process special categories of data on a large scale.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowInternational Data Transfers in the GDPR Text
Chapter V of the GDPR text (Articles 44 to 50) restricts transfers of personal data to countries outside the EEA. These restrictions exist because the GDPR's protections would be meaningless if data could simply be moved to a jurisdiction with weaker protections.
The GDPR text permits international transfers through several mechanisms:
- Adequacy decisions (Article 45): The European Commission can determine that a third country provides an adequate level of data protection. Countries with adequacy decisions include Japan, South Korea, the United Kingdom, and the United States (under the EU-U.S. Data Privacy Framework).
- Standard Contractual Clauses (Article 46(2)(c)): Pre-approved contract terms adopted by the European Commission that impose GDPR-level obligations on the data importer.
- Binding Corporate Rules (Article 47): Internal policies approved by supervisory authorities for multinational organizations to transfer data within their corporate group.
- Derogations (Article 49): Limited exceptions for specific situations, including explicit consent after being informed of risks, contractual necessity, and important reasons of public interest.
If your website uses third-party services that transfer data to the United States, you should verify whether those providers are certified under the Data Privacy Framework or rely on Standard Contractual Clauses. Your privacy policy must disclose the transfer mechanisms you rely on, as required by Article 13(1)(f).
Penalties and Enforcement in the GDPR Text
The GDPR text established a penalty structure that made data protection violations financially significant for organizations of any size. Articles 83 and 84 define the enforcement framework.
Two-tier fine structure
The GDPR text creates two tiers of administrative fines:
- Lower tier (Article 83(4)): Up to 10 million EUR or 2% of total worldwide annual turnover, whichever is higher. Applies to violations of controller and processor obligations, certification body requirements, and monitoring body obligations.
- Upper tier (Article 83(5)): Up to 20 million EUR or 4% of total worldwide annual turnover, whichever is higher. Applies to violations of the core principles, lawful bases for processing, consent conditions, data subject rights, and international transfer rules.
Factors in determining fines
Article 83(2) lists 11 factors that supervisory authorities must consider when deciding whether to impose a fine and determining the amount:
- The nature, gravity, and duration of the violation
- Whether the infringement was intentional or negligent
- Actions taken to mitigate damage to data subjects
- Degree of responsibility considering technical and organizational measures
- Any previous infringements
- The degree of cooperation with the supervisory authority
- The categories of personal data affected
- How the supervisory authority became aware of the infringement
- Whether the organization previously received corrective measures
- Adherence to approved codes of conduct or certification mechanisms
- Any other aggravating or mitigating factors, including financial benefits gained
Notable enforcement examples
Since the GDPR text took effect on May 25, 2018, supervisory authorities across the EU have issued thousands of fines. Major actions include fines against Meta (1.2 billion EUR by the Irish DPC in 2023 for unlawful data transfers), Amazon (746 million EUR by Luxembourg's CNPD in 2021), and numerous smaller fines against organizations of all sizes for failures including inadequate consent mechanisms, missing privacy policies, and insufficient security measures.
How to Comply with the GDPR Text on Your Website
Translating the GDPR text into practical steps requires addressing several areas of your website operations. The following checklist covers the essential measures.
Privacy policy and transparency
Article 13 of the GDPR text requires you to provide users with specific information at the point of data collection. Your privacy policy must include your identity and contact details, the purposes and legal basis for each type of processing, data retention periods, information about international transfers, and a full explanation of data subject rights. Use a privacy policy generator to create a policy that addresses these requirements, then review it with legal counsel.
Cookie consent
If your website uses non-essential cookies, you need valid consent under both the GDPR and the ePrivacy Directive (Directive 2002/58/EC). Consent must be obtained before setting non-essential cookies, must be as easy to withdraw as to give, and must be recorded as evidence of compliance. A compliant cookie consent banner should present clear choices without pre-ticked boxes or dark patterns.
Data subject request handling
Establish a process for receiving and responding to data subject requests within the one-month deadline set by Article 12(3). You need to verify the identity of the requester, locate all relevant personal data across your systems, and provide responses in a concise, transparent, and easily accessible format.
Security measures
Article 32 requires you to implement appropriate technical and organizational measures, including:
- Encryption of personal data in transit and at rest
- Access controls limiting who can view personal data
- Regular testing of security measures
- Incident response procedures for data breaches
- Employee training on data protection obligations
Vendor management
Review the data processing agreements with every third-party service that handles personal data on your behalf. Under Article 28, these agreements must include specific provisions about the scope of processing, data security, sub-processor management, and data deletion upon contract termination.
Tools like TermsBox can help automate parts of this compliance work, including scanning your website for cookies and trackers, generating compliant legal documents, and providing a cookie consent banner that meets GDPR requirements.
GDPR Text and Other Privacy Regulations
The GDPR text does not exist in isolation. Several other privacy regulations affect website operations, and understanding how they interact helps you build a comprehensive compliance strategy.
The GDPR served as the model for many subsequent privacy laws. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), shares many concepts with the GDPR, including transparency requirements, access rights, and deletion rights. However, the CCPA uses an opt-out model for data sales rather than the GDPR's opt-in consent model.
The UK GDPR, retained in domestic law after Brexit through the Data Protection Act 2018, is substantively identical to the EU GDPR text but operates under UK supervisory authority rather than EU institutions. The UK has its own adequacy decisions and its own extension to the EU-U.S. Data Privacy Framework.
Brazil's Lei Geral de Protecao de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and new comprehensive privacy laws in U.S. states including Virginia, Colorado, Connecticut, and Texas all draw on concepts from the GDPR text while adapting them to local legal traditions.
If your website serves users across multiple jurisdictions, your compliance strategy must account for the overlapping requirements. A privacy policy generator can help you create a policy that addresses multiple regulations, but you should verify coverage with legal counsel familiar with each applicable law.
Frequently Asked Questions
Where can I find the official GDPR text?
The official GDPR text is published in the Official Journal of the European Union as Regulation (EU) 2016/679. You can access it free of charge on EUR-Lex, the official EU law database, at eur-lex.europa.eu. The regulation contains 99 articles organized across 11 chapters and 173 recitals that provide interpretive guidance.
How many articles are in the GDPR text?
The GDPR text contains 99 articles organized into 11 chapters. These chapters cover scope and definitions, principles, data subject rights, controller and processor obligations, international transfers, supervisory authorities, cooperation and consistency, remedies and penalties, delegated acts, and final provisions.
What are the penalties described in the GDPR text?
The GDPR text establishes a two-tier penalty structure under Articles 83 and 84. Lower-tier violations can result in fines up to 10 million EUR or 2% of annual global turnover, whichever is higher. Upper-tier violations, including breaches of data subject rights and lawful processing principles, carry fines up to 20 million EUR or 4% of annual global turnover.
Does the GDPR text apply to websites outside the European Union?
Yes. Article 3 of the GDPR text establishes extraterritorial scope. The regulation applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is established. This includes websites that offer goods or services to EU residents or monitor their behavior through cookies, analytics, or tracking technologies.