Recitals Index
Recitals
Considering the following reasons the articles of the GDPR have been adopted. These are the latest and final recitals of April 27th 2016.
- 1 Fundamental right to privacy*
- 2 Right to the protection of personal data*
- 3 Harmonisation of fundamental rights and freedoms*
- 4 Designed to serve mankind*
- 5 Recognising the increasing free flow of personal data*
- 6 Challenge of the rapid development of technology and globalisation*
- 7 Data protection framework*
- 8 Derogation in member state law*
- 9 Need for harmonisation*
- 10 Consistency and homogenisation*
- 11 Strength of effective protection of personal data*
- 12 Mandation of European Parliament and the Council*
- 13 Consistency*
- 14 Scope of protection to natural persons*
- 15 Technology and technique agnostic*
- 16 Applicable only to activities in scope*
- 17 Applicability to personal data processing by the Union institutions*
- 18 Inapplicability to personal and household use*
- 19 Inapplicability to law enforcement purposes*
- 20 Inapplicability to courts acting in their judicial capacity*
- 21 Liability rules of intermediary service providers remain unaffected*
- 22 Reach of establishment*
- 23 Geographical reach*
- 24 Territorial reach*
- 25 Extra territorial reach*
- 26 Anonymisation*
- 27 Only living natural persons*
- 28 Pseudonymisation*
- 29 Internal pseudonymisation*
- 30 Technical identifiers*
- 31 Limited rights where processed for the regulation of financial services*
- 32 Principles of consent*
- 33 Consent for an unknown future purpose in research*
- 34 Genetic data as personal data*
- 35 Health data*
- 36 Determination of establishment*
- 37 Determination of controller*
- 38 Protection of children*
- 39 Fair, lawful and transparent*
- 40 Lawful basis for processing*
- 41 Dependence on legal duty for processing*
- 42 Evidence of consent*
- 43 Balance of power in consent*
- 44 Processing where required by contract*
- 45 Processing carried out in accordance with a legal obligation*
- 46 Processing personal data basis on vital interest*
- 47 Processing based on legitimate interest*
- 48 Group undertakings*
- 49 Processing for security of networks and information security*
- 50 Processing for compatible purposes*
- 51 Special category data*
- 52 Possible derogations for special category data for wider health purposes*
- 53 Processing health data requiring high protection for benefit of society*
- 54 Processing special category data necessary in the public interest*
- 55 Processing by authorities to achieve aims laid down by constitutional law, etc.*
- 56 Processing by political parties*
- 57 Not required to re-identify for compliance with this regulation*
- 58 Accessibility of communications with data subjects*
- 59 Modalities for facilitating data subject’s*
- 60 Information necessary to ensure fair and transparent processing*
- 61 Where personal data can be legitimately disclosed to another recipient*
- 62 Exemptions to the need to inform data subjects*
- 63 Data subject right of access*
- 64 Data subject authentication*
- 65 Right of rectification and erasure*
- 66 Right to erasure for public data*
- 67 Methods to restrict further processing*
- 68 Right to machine-readable data for portability*
- 69 Right to object*
- 70 Right to object to profiling and direct marketing*
- 71 Right not to be subject to a decision based on automated processing*
- 72 Profiling is subject to the rules of this Regulation*
- 73 Processing in accordance with the Charter and European Convention for the Protection of Human Rights*
- 74 Responsibility and liability of the controller*
- 75 Recognition of the varying risk to the rights and freedoms persons*
- 76 Risk assessment*
- 77 Approaches to the issuing of guidance*
- 78 Adoption of technical and organisational controls*
- 79 Duty to clarify allocation of the responsibilities under this Regulation*
- 80 Duty to appoint an EEA Representative*
- 81 Processors*
- 82 Maintaining Records of Processing Activity*
- 83 Security risk assessment*
- 84 Data Protection Impact Assessment*
- 85 Data breach reporting*
- 86 Data breach notification*
- 87 Data breach assessment*
- 88 Data breach risk assessment*
- 89 General requirement to register abolished*
- 90 Requirement to notify where DPIA indicates high-risk*
- 91 Conditions requiring a DPIA*
- 92 Facility for broad DPIAs*
- 93 Member states determination of DPIA requirements*
- 94 Requirement to consult supervisory authority where DPIA indicates high-risk*
- 95 Duty of processor to assist controller with DPIA*
- 96 Duty to consult supervisory authority on new law or regulation impacting personal data*
- 97 General requirement to access supporting expertise*
- 98 Encouraging codes of conduct*
- 99 Duty to consult on codes of conduct*
- 100 Encouraging assurance through certification, seals and marks*
- 101 Transfers to third countries and international organisations must comply*
- 102 Without prejudice to international agreements*
- 103 Adequate level of data protection*
- 104 Assessment of adequacy*
- 105 Adequacy considerations*
- 106 Monitor third countries and international organisations for compliance*
- 107 Prohibition of transfer where inadequacy found*
- 108 In the absence of an adequacy decision*
- 109 Use standard data-protection clauses*
- 110 Binding corporate rules for its international transfers*
- 111 Transfers in certain circumstances*
- 112 Derogations for transfers in the public interest*
- 113 Occasional transfers in the legitimate interests of the controller*
- 114 Enforceable and effective rights in the absence of adequacy*
- 115 Extraterritorial application where in breach of international law*
- 116 International cooperation*
- 117 Independence of supervisory authorities*
- 118 Qualification of independence*
- 119 Single mechanism for multi supervisory authority states*
- 120 Supervisory authority resourcing*
- 121 Member state creation of supervisory authorities*
- 122 Competence of the supervisory authority*
- 123 Cooperation between supervisory authorities*
- 124 One-stop-shop*
- 125 Binding decision of lead authority in multi member cases*
- 126 Agreement between lead and other supervisory authorities where multi state*
- 127 Competency for local matters where not the lead SA*
- 128 Processing in the public interest is a local matter*
- 129 Consistent powers of the SA in all member states*
- 130 Coordination with the lead SA for local complaints*
- 131 Determining lead authority where complaint is not in established state*
- 132 Awareness-raising activities by supervisory authorities*
- 133 Mutual assistance between SA*
- 134 Joint operations with other supervisory authorities*
- 135 Consistency mechanism*
- 136 Decision making and dispute resolution between SA*
- 137 Power to act in an emergency*
- 138 Application of SA emergency controls*
- 139 Creation of the EDPB*
- 140 EDPS secretariat support*
- 141 Every data subject’s right to lodge a complaint*
- 142 Data subject’s right to mandate a not-for-profit body to act for them*
- 143 Right to bring an action against the EDPB to EUCoJ*
- 144 Duty to consult member state courts for a conflict*
- 145 Right to bring court action in member state of controller or processor establishment*
- 146 Right to compensation for damage*
- 147 Determining jurisdiction*
- 148 Power to impose penalties for any infringement*
- 149 Member States determination of criminal penalties for infringements*
- 150 Harmonisation of penalties for infringement*
- 151 Denmark and Estonia do not allow for administrative fines*
- 152 Action where necessary for unharmonised administrative penalties*
- 153 Reconciliation of the rules governing freedom of expression and information*
- 154 Public access to official documents may be considered to be in the public interest*
- 155 Member State law and collective agreements for processing employee data*
- 156 Processing for archiving, scientific or historical research or statistical purposes*
- 157 Benefits of data linkage for research in the public interest*
- 158 Member States authorised to provide for processing of personal data for archiving purposes*
- 159 Processing for scientific research purposes*
- 160 Processing for historical research purposes*
- 161 Consent to participation in clinical trials*
- 162 Processing for statistical purposes*
- 163 Confidential information collected for official European and national statistics*
- 164 SA duty of confidentiality for personal data accessed in the exercise of duties*
- 165 No prejudices to the status of constitutional law of churches and religious associations or communities*
- 166 Delegated power of the Commission*
- 167 Implementing powers conferred on the Commission*
- 168 Examination procedure used for the adoption of implementing acts*
- 169 Commission should adopt implementing acts imperative on grounds of urgency*
- 170 Union may adopt measures in accordance with the principle of subsidiarity to ensure protection*
- 171 Directive 95/46/EC repealed by this Regulation*
- 172 European Data Protection Supervisor was consulted*
- 173 This Regulation applies to the protection of fundamental rights*