General provisions
Principles
Rights of the data subject
Controller and processor
Transfers of personal data to third countries or international organisations
Independent supervisory authorities
Cooperation and consistency
Remedies, liability and penalties
Provisions relating to specific processing situations
Delegated acts and implementing acts
Final provisions
Recital 1 – Data protection as a fundamental right
Recital 2 – Respect of the fundamental rights and freedoms
Recital 3 – Directive 95/46/EC harmonisation
Recital 4 – Data protection in balance with other fundamental rights
Recital 5 – Cooperation between Member States to exchange personal data
Recital 6 – Ensuring a high level of data protection despite the increased exchange of data
Recital 7 – The framework is based on control and certainty
Recital 8 – Adoption into national law
Recital 9 – Different standards of protection by the Directive 95/46/EC
Recital 10 – Harmonised level of data protection despite national scope
Recital 11 – Harmonisation of the powers and sanctions
Recital 12 – Authorization of the European Parliament and the Council
Recital 13 – Taking account of micro, small and medium-sized enterprises
Recital 14 – Not applicable to legal persons
Recital 15 – Technology neutrality
Recital 16 – Not applicable to activities regarding national and common security
Recital 17 – Adaptation of Regulation (EC) No 45/2001
Recital 18 – Not applicable to personal or household activities
Recital 19 – Not applicable to criminal prosecution
Recital 20 – Respecting the independence of the judiciary
Recital 21 – Liability rules of intermediary service providers shall remain unaffected
Recital 22 – Processing by an establishment
Recital 23 – Applicable to processors not established in the Union if data subjects within the Union are targeted
Recital 24 – Applicable to processors not established in the Union if data subjects within the Union are profiled
Recital 25 – Applicable to processors due to international law
Recital 26 – Not applicable to anonymous data
Recital 27 – Not applicable to data of deceased persons
Recital 28 – Introduction of pseudonymisation
Recital 29 – Pseudonymisation at the same controller
Recital 30 – Online identifiers for profiling and identification
Recital 31 – Not applicable to public authorities in connection with their official tasks
Recital 32 – Conditions for consent
Recital 33 – Consent to certain areas of scientific research
Recital 34 – Genetic data
Recital 35 – Health data
Recital 36 – Determination of the main establishment
Recital 37 – Enterprise group
Recital 38 – Special protection of children’s personal data
Recital 39 – Principles of data processing
Recital 40 – Lawfulness of data processing
Recital 41 – Legal basis or legislative measures
Recital 52 – Exceptions to the prohibition on processing special categories of personal data
Recital 53 – Processing of sensitive data in health and social sector
Recital 54 – Processing of sensitive data in public health sector
Recital 55 – Public interest in processing by official authorities for objectives of recognized religious communities
Recital 56 – Processing personal data on people’s political opinions by parties
Recital 57 – Additional data for identification purposes
Recital 58 – The principle of transparency
Recital 59 – Procedures for the exercise of the rights of the data subjects
Recital 60 – Information obligation
Recital 61 – Time of information
Recital 42 – Burden of proof and requirements for consent
Recital 43 – Freely given consent
Recital 44 – Performance of a contract
Recital 45 – Fulfillment of legal obligations
Recital 46 – Vital interests of the data subject
Recital 47 – Overriding legitimate interest
Recital 48 – Overriding legitimate interest within group of undertakings
Recital 49 – Network and information security as overriding legitimate interest
Recital 50 – Further processing of personal data
Recital 51 – Protecting sensitive personal data
Recital 62 – Exceptions to the obligation to provide information
Recital 63 – Right of access
Recital 64 – Identity verification
Recital 65 – Right of rectification and erasure
Recital 66 – Right to be forgotten
Recital 67 – Restriction of processing
Recital 68 – Right of data portability
Recital 69 – Right to object
Recital 70 – Right to object to direct marketing
Recital 71 – Profiling
Recital 72 – Guidance of the European Data Protection Board regarding profiling
Recital 73 – Restrictions of rights and principles
Recital 74 – Responsibility and liability of the controller
Recital 75 – Risks to the rights and freedoms of natural persons
Recital 76 – Risk assessment
Recital 77 – Risk assessment guidelines
Recital 78 – Appropriate technical and organisational measures
Recital 79 – Allocation of the responsibilities
Recital 80 – Designation of a representative
Recital 81 – The use of processors
Recital 82 – Record of processing activities
Recital 83 – Security of processing
Recital 84 – Risk evaluation and impact assessment
Recital 85 – Notification obligation of breaches to the supervisory authority
Recital 86 – Notification of data subjects in case of data breaches
Recital 87 – Promptness of reporting / notification
Recital 88 – Format and procedures of the notification
Recital 89 – Elimination of the general reporting requirement
Recital 90 – Data protection impact assessement
Recital 91 – Necessity of a data protection impact assessment
Recital 92 – Broader data protection impact assessment
Recital 93 – Data protection impact assessment at authorities
Recital 94 – Consultation of the supervisory authority
Recital 95 – Support by the processor
Recital 96 – Consultation of the supervisory authority in the course of a legislative process
Recital 97 – Data protection officer
Recital 98 – Preparation of codes of conduct by organisations and associations
Recital 99 – Consultation of stakeholders and data subjects in the development of codes of conduct
Recital 100 – Certification
Recital 101 – General principles for international data transfers
Recital 103 – Appropriate level of data protection based on an adequacy decision
Recital 104 – Criteria for an adequacy decision
Recital 105 – Consideration of international agreements for an adequacy decision
Recital 106 – Monitoring and periodic review of the level of data protection
Recital 107 – Amendment, revocation and suspension of adequacy decisions
Recital 108 – Appropriate safeguards
Recital 109 – Standard data protection clauses
Recital 110 – Binding corporate rules
Recital 111 – Exceptions for certain cases of international transfers
Recital 112 – Data transfers due to important reasons of public interest
Recital 113 – Transfers qualified as not repetitive and that only concern a limited number of data subjects
Recital 114 – Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision
Recital 115 – Rules in third countries contrary to the Regulation
Recital 116 – Cooperation among supervisory authorities
Recital 117 – Establishment of supervisory authorities
Recital 118 – Monitoring of the supervisory authorities
Recital 119 – Organisation of several supervisory authorities of a Member State
Recital 120 – Features of supervisory authorities
Recital 121 – Independence of the supervisory authorities
Recital 102 – International agreements for an appropriate level of data protection
Recital 122 – Responsibility of the supervisory authorities
Recital 123 – Cooperation of the supervisory authorities with each other and with the Commission
Recital 124 – Lead authority regarding processing in several Member States
Recital 125 – Competences of the lead authority
Recital 126 – Joint decisions
Recital 127 – Information of the supervisory authority regarding local processing
Recital 128 – Responsibility regarding processing in the public interest
Recital 129 – Tasks and powers of the supervisory authorities
Recital 130 – Consideration of the authority with which the complaint has been lodged
Recital 131 – Attempt of an amicable settlement
Recital 132 – Awareness-raising activities and specific measures
Recital 133 – Mutual assistance and provisional measures
Recital 134 – Participation in joint operations
Recital 135 – Consistency mechanism
Recital 136 – Binding decisions and opinions of the Board
Recital 137 – Provisional measures
Recital 138 – Urgency procedure
Recital 139 – European Data Protection Board
Recital 140 – Secretariat and staff of the Board
Recital 141 – Right to lodge a complaint
Recital 154 – Principle of public access to official documents
Recital 155 – Processing in the employment context
Recital 156 – Processing for archiving, scientific or historical research or statistical purposes
Recital 157 – Information from registries and scientific research
Recital 158 – Processing for archiving purposes
Recital 159 – Processing for scientific research purposes
Recital 160 – Processing for historical research purposes
Recital 161 – Consenting to the participation in clinical trials
Recital 142 – The right of data subjects to mandate a not-for-profit body, organisation or association
Recital 143 – Judicial remedies
Recital 144 – Related proceedings
Recital 145 – Choice of venue
Recital 146 – Indemnity
Recital 147 – Jurisdiction
Recital 148 – Penalties
Recital 149 – Penalties for infringements of national rules
Recital 150 – Administrative fines
Recital 151 – Administrative fines in Denmark and Estonia
Recital 152 – Power of sanction of the Member States
Recital 153 – Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression
Recital 162 – Processing for statistical purposes
Recital 163 – Production of European and national statistics
Recital 164 – Professional or other equivalent secrecy obligations
Recital 165 – No prejudice of the status of churches and religious associations
Recital 166 – Delegated acts of the Commission
Recital 167 – Implementing powers of the Commission
Recital 168 – Implementing acts on standard contractual clauses
Recital 169 – Immediately applicable implementing acts
Recital 170 – Principle of subsidiarity and principle of proportionality
Recital 171 – Repeal of Directive 95/46/EC and transitional provisions
Recital 172 – Consultation of the European Data Protection Supervisor
Recital 173 – Relationship to Directive 2002/58/EC
GDPR compliance is easier with encrypted email