Aller au contenu
+352 621 583 116 · Contact us
Luxembourg-based firm · Reply within 1 business day FR
Luxgap
Menu
DPO mandate GDPR + AI Act CISO mandate NIS 2 + DORA
Dark Web monitoringLeaked credentials and lookalike domain detection Counter-espionageBug & camera sweeps, executive protection Audit & penetration testSecurity review, vulnerability testing, incident response Business continuityRecovery plan, DORA compliance Managed SOC 24/7Continuous monitoring, detection and incident response
Internal awarenessFor executives and teams, e-learning + simulated phishing Professional certificationsISO 27001, 27701, 22301, 42001, accredited
Software AI Laws Articles Teams References Contact My quote →
+352 621 583 116 Call now julien.winkin@luxgap.com Reply within 1 business day Passer en Français You are reading the EN version FR
Logo Acl Faymonville Generali Arthur Welter Care IT Swiss Life Square Arend Fischbach Inspection du Travail et des Mines Atdomco Dussmann kulturpass Commune Sanem Agilepartner Asti Adepa Logo Color 460px Skeeled AFC fiduciaire Cfl Fundamentals Vbk Accumalux 2 Conseil National des Femmes Ag2r La Mondiale Cmcm Logo Acl Faymonville Generali Arthur Welter Care IT Swiss Life Square Arend Fischbach Inspection du Travail et des Mines Atdomco Dussmann kulturpass Commune Sanem Agilepartner Asti Adepa Logo Color 460px Skeeled AFC fiduciaire Cfl Fundamentals Vbk Accumalux 2 Conseil National des Femmes Ag2r La Mondiale Cmcm

GDPR · Summary

← All recitals Law overview →
  • 1. The protection of natural persons in relation to the processing of...
  • 2. The principles of, and rules on the protection of natural persons...
  • 3. Directive 95/46/EC of the European Parliament and of the Council (4)...
  • 4. The processing of personal data should be designed to serve mankind....
  • 5. The economic and social integration resulting from the functioning of...
  • 6. Rapid technological developments and globalisation have brought new...
  • 7. Those developments require a strong and more coherent data protection...
  • 8. Where this Regulation provides for specifications or restrictions of...
  • 9. The objectives and principles of Directive 95/46/EC remain sound, but...
  • 10. In order to ensure a consistent and high level of protection of...
  • 11. Effective protection of personal data throughout the Union requires...
  • 12. Article 16(2) TFEU mandates the European Parliament and the Council...
  • 13. In order to ensure a consistent level of protection for natural...
  • 14. The protection afforded by this Regulation should apply to natural...
  • 15. In order to prevent creating a serious risk of circumvention, the...
  • 16. This Regulation does not apply to issues of protection of fundamental...
  • 17. Regulation (EC) No 45/2001 of the European Parliament and of the...
  • 18. This Regulation does not apply to the processing of personal data by...
  • 19. The protection of natural persons with regard to the processing of...
  • 20. While this Regulation applies, inter alia, to the activities of...
  • 21. This Regulation is without prejudice to the application of Directive...
  • 22. Any processing of personal data in the context of the activities of...
  • 23. In order to ensure that natural persons are not deprived of the...
  • 24. The processing of personal data of data subjects who are in the Union...
  • 25. Where Member State law applies by virtue of public international law,...
  • 26. The principles of data protection should apply to any information...
  • 27. This Regulation does not apply to the personal data of deceased...
  • 28. The application of pseudonymisation to personal data can reduce the...
  • 29. In order to create incentives to apply pseudonymisation when...
  • 30. Natural persons may be associated with online identifiers provided by...
  • 31. Public authorities to which personal data are disclosed in accordance...
  • 32. Consent should be given by a clear affirmative act establishing a...
  • 33. It is often not possible to fully identify the purpose of personal...
  • 34. Genetic data should be defined as personal data relating to the...
  • 35. Personal data concerning health should include all data pertaining to...
  • 36. The main establishment of a controller in the Union should be the...
  • 37. A group of undertakings should cover a controlling undertaking and...
  • 38. Children merit specific protection with regard to their personal...
  • 39. Any processing of personal data should be lawful and fair. It should...
  • 40. In order for processing to be lawful, personal data should be...
  • 41. Where this Regulation refers to a legal basis or a legislative...
  • 42. Where processing is based on the data subject's consent, the...
  • 43. In order to ensure that consent is freely given, consent should not...
  • 44. Processing should be lawful where it is necessary in the context of a...
  • 45. Where processing is carried out in accordance with a legal obligation...
  • 46. The processing of personal data should also be regarded to be lawful...
  • 47. The legitimate interests of a controller, including those of a...
  • 48. Controllers that are part of a group of undertakings or institutions...
  • 49. The processing of personal data to the extent strictly necessary and...
  • 50. The processing of personal data for purposes other than those for...
  • 51. Personal data which are, by their nature, particularly sensitive in...
  • 52. Derogating from the prohibition on processing special categories of...
  • 53. Special categories of personal data which merit higher protection...
  • 54. The processing of special categories of personal data may be...
  • 55. Moreover, the processing of personal data by official authorities for...
  • 56. Where in the course of electoral activities, the operation of the...
  • 57. If the personal data processed by a controller do not permit the...
  • 58. The principle of transparency requires that any information addressed...
  • 59. Modalities should be provided for facilitating the exercise of the...
  • 60. The principles of fair and transparent processing require that the...
  • 61. The information in relation to the processing of personal data...
  • 62. However, it is not necessary to impose the obligation to provide...
  • 63. A data subject should have the right of access to personal data which...
  • 64. The controller should use all reasonable measures to verify the...
  • 65. A data subject should have the right to have personal data concerning...
  • 66. To strengthen the right to be forgotten in the online environment,...
  • 67. Methods by which to restrict the processing of personal data could...
  • 68. To further strengthen the control over his or her own data, where the...
  • 69. Where personal data might lawfully be processed because processing is...
  • 70. Where personal data are processed for the purposes of direct...
  • 71. The data subject should have the right not to be subject to a...
  • 72. Profiling is subject to the rules of this Regulation governing the...
  • 73. Restrictions concerning specific principles and the rights of...
  • 74. The responsibility and liability of the controller for any processing...
  • 75. The risk to the rights and freedoms of natural persons, of varying...
  • 76. The likelihood and severity of the risk to the rights and freedoms of...
  • 77. Guidance on the implementation of appropriate measures and on the...
  • 78. The protection of the rights and freedoms of natural persons with...
  • 79. The protection of the rights and freedoms of data subjects as well as...
  • 80. Where a controller or a processor not established in the Union is...
  • 81. To ensure compliance with the requirements of this Regulation in...
  • 82. In order to demonstrate compliance with this Regulation, the...
  • 83. In order to maintain security and to prevent processing in...
  • 84. In order to enhance compliance with this Regulation where processing...
  • 85. A personal data breach may, if not addressed in an appropriate and...
  • 86. The controller should communicate to the data subject a personal data...
  • 87. It should be ascertained whether all appropriate technological...
  • 88. In setting detailed rules concerning the format and procedures...
  • 89. Directive 95/46/EC provided for a general obligation to notify the...
  • 90. In such cases, a data protection impact assessment should be carried...
  • 91. This should in particular apply to large-scale processing operations...
  • 92. There are circumstances under which it may be reasonable and...
  • 93. In the context of the adoption of the Member State law on which the...
  • 94. Where a data protection impact assessment indicates that the...
  • 95. The processor should assist the controller, where necessary and upon...
  • 96. A consultation of the supervisory authority should also take place in...
  • 97. Where the processing is carried out by a public authority, except for...
  • 98. Associations or other bodies representing categories of controllers...
  • 99. When drawing up a code of conduct, or when amending or extending such...
  • 100. In order to enhance transparency and compliance with this Regulation,...
  • 101. Flows of personal data to and from countries outside the Union and...
  • 102. This Regulation is without prejudice to international agreements...
  • 103. The Commission may decide with effect for the entire Union that a...
  • 104. In line with the fundamental values on which the Union is founded, in...
  • 105. Apart from the international commitments the third country or...
  • 106. The Commission should monitor the functioning of decisions on the...
  • 107. The Commission may recognise that a third country, a territory or a...
  • 108. In the absence of an adequacy decision, the controller or processor...
  • 109. The possibility for the controller or processor to use standard...
  • 110. A group of undertakings, or a group of enterprises engaged in a joint...
  • 111. Provisions should be made for the possibility for transfers in...
  • 112. Those derogations should in particular apply to data transfers...
  • 113. Transfers which can be qualified as not repetitive and that only...
  • 114. In any case, where the Commission has taken no decision on the...
  • 115. Some third countries adopt laws, regulations and other legal acts...
  • 116. When personal data moves across borders outside the Union it may put...
  • 117. The establishment of supervisory authorities in Member States,...
  • 118. The independence of supervisory authorities should not mean that the...
  • 119. Where a Member State establishes several supervisory authorities, it...
  • 120. Each supervisory authority should be provided with the financial and...
  • 121. The general conditions for the member or members of the supervisory...
  • 122. Each supervisory authority should be competent on the territory of...
  • 123. The supervisory authorities should monitor the application of the...
  • 124. Where the processing of personal data takes place in the context of...
  • 125. The lead authority should be competent to adopt binding decisions...
  • 126. The decision should be agreed jointly by the lead supervisory...
  • 127. Each supervisory authority not acting as the lead supervisory...
  • 128. The rules on the lead supervisory authority and the one-stop-shop...
  • 129. In order to ensure consistent monitoring and enforcement of this...
  • 130. Where the supervisory authority with which the complaint has been...
  • 131. Where another supervisory authority should act as a lead supervisory...
  • 132. Awareness-raising activities by supervisory authorities addressed to...
  • 133. The supervisory authorities should assist each other in performing...
  • 134. Each supervisory authority should, where appropriate, participate in...
  • 135. In order to ensure the consistent application of this Regulation...
  • 136. In applying the consistency mechanism, the Board should, within a...
  • 137. There may be an urgent need to act in order to protect the rights and...
  • 138. The application of such mechanism should be a condition for the...
  • 139. In order to promote the consistent application of this Regulation,...
  • 140. The Board should be assisted by a secretariat provided by the...
  • 141. Every data subject should have the right to lodge a complaint with a...
  • 142. Where a data subject considers that his or her rights under this...
  • 143. Any natural or legal person has the right to bring an action for...
  • 144. Where a court seized of proceedings against a decision by a...
  • 145. For proceedings against a controller or processor, the plaintiff...
  • 146. The controller or processor should compensate any damage which a...
  • 147. Where specific rules on jurisdiction are contained in this...
  • 148. In order to strengthen the enforcement of the rules of this...
  • 149. Member States should be able to lay down the rules on criminal...
  • 150. In order to strengthen and harmonise administrative penalties for...
  • 151. The legal systems of Denmark and Estonia do not allow for...
  • 152. Where this Regulation does not harmonise administrative penalties or...
  • 153. Member States law should reconcile the rules governing freedom of...
  • 154. This Regulation allows the principle of public access to official...
  • 155. Member State law or collective agreements, including ‘works...
  • 156. The processing of personal data for archiving purposes in the public...
  • 157. By coupling information from registries, researchers can obtain new...
  • 158. Where personal data are processed for archiving purposes, this...
  • 159. Where personal data are processed for scientific research purposes,...
  • 160. Where personal data are processed for historical research purposes,...
  • 161. For the purpose of consenting to the participation in scientific...
  • 162. Where personal data are processed for statistical purposes, this...
  • 163. The confidential information which the Union and national statistical...
  • 164. As regards the powers of the supervisory authorities to obtain from...
  • 165. This Regulation respects and does not prejudice the status under...
  • 166. In order to fulfil the objectives of this Regulation, namely to...
  • 167. In order to ensure uniform conditions for the implementation of this...
  • 168. The examination procedure should be used for the adoption of...
  • 169. The Commission should adopt immediately applicable implementing acts...
  • 170. Since the objective of this Regulation, namely to ensure an...
  • 171. Directive 95/46/EC should be repealed by this Regulation. Processing...
  • 172. The European Data Protection Supervisor was consulted in accordance...
  • 173. This Regulation should apply to all matters concerning the protection...
Laws  ›  GDPR  ›  Recital 172
Official EUR-Lex source ↗
Luxgap coverage GDPR NIS 2 DORA AI Act Whistleblowing CSSF 22/806
Recital 172

Recital 172

General Data Protection Regulation · UE 2016/679

(172)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012 (17).

Luxgap guidance · DPO & CISO

How to comply

Tailored guidance being drafted by our team. Got a specific question on this article? Contact us, we reply within 24 hours.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Contact us →
← previous recital
171.
next recital →
173.
My quote

They trust us

Skeeled Generali Agilepartner kulturpass Swiss Life Square Adepa Logo Color 460px Cfl Asti AFC fiduciaire Care IT Logo Acl Faymonville Inspection du Travail et des Mines Atdomco Commune Sanem Cmcm Vbk Arend Fischbach Conseil National des Femmes Accumalux 2 Arthur Welter Fundamentals Ag2r La Mondiale Dussmann Skeeled Generali Agilepartner kulturpass Swiss Life Square Adepa Logo Color 460px Cfl Asti AFC fiduciaire Care IT Logo Acl Faymonville Inspection du Travail et des Mines Atdomco Commune Sanem Cmcm Vbk Arend Fischbach Conseil National des Femmes Accumalux 2 Arthur Welter Fundamentals Ag2r La Mondiale Dussmann
See all references →
Luxgap

Luxembourg-based cybersecurity, GDPR and AI firm. External DPO and CISO mandates, Dark Web monitoring, audits, training.

2 rue de l'École, L-8376 Kahler, Luxembourg
Contact us · +352 621 583 116

Services

  • External DPO (GDPR)
  • External CISO (NIS 2)
  • Dark Web monitoring (EEM)
  • Counter-espionage & executives
  • Audit & penetration testing
  • Resilience (BCP / DORA)
  • Training
  • PECB certified trainings
  • AI advisory

Firm

  • AI Act, NIS 2, GDPR…
  • Articles
  • Our teams
  • References
  • Contact
  • Quote
  • Terms of sale
  • Privacy policy

Contact

  • Contact form
  • +352 621 583 116
  • LinkedIn
© 2026 Luxgap · All rights reserved. Lux Gap S.à r.l. · Luxembourg · VAT LU30886939
L
Luxgap · expert online Typically replies within minutes.

Before we chat

Tell us how to reach you, so a human can follow up if needed.

Hi! Ask anything about cybersecurity, GDPR, NIS 2, the AI Act, or our services. A human picks up if needed.
This assistant uses Claude (Anthropic) with a Luxgap framing. Your messages are reviewed by our team.