Laws › GDPR
UE 2016/679
General Data Protection Regulation
The foundation of personal data protection in the EU.
173recitals
0with Luxgap guidance
24havg response time
Rec. 1
The protection of natural persons in relation to the processing of...
Rec. 2
The principles of, and rules on the protection of natural persons...
Rec. 3
Directive 95/46/EC of the European Parliament and of the Council (4)...
Rec. 4
The processing of personal data should be designed to serve mankind....
Rec. 5
The economic and social integration resulting from the functioning of...
Rec. 6
Rapid technological developments and globalisation have brought new...
Rec. 7
Those developments require a strong and more coherent data protection...
Rec. 8
Where this Regulation provides for specifications or restrictions of...
Rec. 9
The objectives and principles of Directive 95/46/EC remain sound, but...
Rec. 10
In order to ensure a consistent and high level of protection of...
Rec. 11
Effective protection of personal data throughout the Union requires...
Rec. 12
Article 16(2) TFEU mandates the European Parliament and the Council...
Rec. 13
In order to ensure a consistent level of protection for natural...
Rec. 14
The protection afforded by this Regulation should apply to natural...
Rec. 15
In order to prevent creating a serious risk of circumvention, the...
Rec. 16
This Regulation does not apply to issues of protection of fundamental...
Rec. 17
Regulation (EC) No 45/2001 of the European Parliament and of the...
Rec. 18
This Regulation does not apply to the processing of personal data by...
Rec. 19
The protection of natural persons with regard to the processing of...
Rec. 20
While this Regulation applies, inter alia, to the activities of...
Rec. 21
This Regulation is without prejudice to the application of Directive...
Rec. 22
Any processing of personal data in the context of the activities of...
Rec. 23
In order to ensure that natural persons are not deprived of the...
Rec. 24
The processing of personal data of data subjects who are in the Union...
Rec. 25
Where Member State law applies by virtue of public international law,...
Rec. 26
The principles of data protection should apply to any information...
Rec. 27
This Regulation does not apply to the personal data of deceased...
Rec. 28
The application of pseudonymisation to personal data can reduce the...
Rec. 29
In order to create incentives to apply pseudonymisation when...
Rec. 30
Natural persons may be associated with online identifiers provided by...
Rec. 31
Public authorities to which personal data are disclosed in accordance...
Rec. 32
Consent should be given by a clear affirmative act establishing a...
Rec. 33
It is often not possible to fully identify the purpose of personal...
Rec. 34
Genetic data should be defined as personal data relating to the...
Rec. 35
Personal data concerning health should include all data pertaining to...
Rec. 36
The main establishment of a controller in the Union should be the...
Rec. 37
A group of undertakings should cover a controlling undertaking and...
Rec. 38
Children merit specific protection with regard to their personal...
Rec. 39
Any processing of personal data should be lawful and fair. It should...
Rec. 40
In order for processing to be lawful, personal data should be...
Rec. 41
Where this Regulation refers to a legal basis or a legislative...
Rec. 42
Where processing is based on the data subject's consent, the...
Rec. 43
In order to ensure that consent is freely given, consent should not...
Rec. 44
Processing should be lawful where it is necessary in the context of a...
Rec. 45
Where processing is carried out in accordance with a legal obligation...
Rec. 46
The processing of personal data should also be regarded to be lawful...
Rec. 47
The legitimate interests of a controller, including those of a...
Rec. 48
Controllers that are part of a group of undertakings or institutions...
Rec. 49
The processing of personal data to the extent strictly necessary and...
Rec. 50
The processing of personal data for purposes other than those for...
Rec. 51
Personal data which are, by their nature, particularly sensitive in...
Rec. 52
Derogating from the prohibition on processing special categories of...
Rec. 53
Special categories of personal data which merit higher protection...
Rec. 54
The processing of special categories of personal data may be...
Rec. 55
Moreover, the processing of personal data by official authorities for...
Rec. 56
Where in the course of electoral activities, the operation of the...
Rec. 57
If the personal data processed by a controller do not permit the...
Rec. 58
The principle of transparency requires that any information addressed...
Rec. 59
Modalities should be provided for facilitating the exercise of the...
Rec. 60
The principles of fair and transparent processing require that the...
Rec. 61
The information in relation to the processing of personal data...
Rec. 62
However, it is not necessary to impose the obligation to provide...
Rec. 63
A data subject should have the right of access to personal data which...
Rec. 64
The controller should use all reasonable measures to verify the...
Rec. 65
A data subject should have the right to have personal data concerning...
Rec. 66
To strengthen the right to be forgotten in the online environment,...
Rec. 67
Methods by which to restrict the processing of personal data could...
Rec. 68
To further strengthen the control over his or her own data, where the...
Rec. 69
Where personal data might lawfully be processed because processing is...
Rec. 70
Where personal data are processed for the purposes of direct...
Rec. 71
The data subject should have the right not to be subject to a...
Rec. 72
Profiling is subject to the rules of this Regulation governing the...
Rec. 73
Restrictions concerning specific principles and the rights of...
Rec. 74
The responsibility and liability of the controller for any processing...
Rec. 75
The risk to the rights and freedoms of natural persons, of varying...
Rec. 76
The likelihood and severity of the risk to the rights and freedoms of...
Rec. 77
Guidance on the implementation of appropriate measures and on the...
Rec. 78
The protection of the rights and freedoms of natural persons with...
Rec. 79
The protection of the rights and freedoms of data subjects as well as...
Rec. 80
Where a controller or a processor not established in the Union is...
Rec. 81
To ensure compliance with the requirements of this Regulation in...
Rec. 82
In order to demonstrate compliance with this Regulation, the...
Rec. 83
In order to maintain security and to prevent processing in...
Rec. 84
In order to enhance compliance with this Regulation where processing...
Rec. 85
A personal data breach may, if not addressed in an appropriate and...
Rec. 86
The controller should communicate to the data subject a personal data...
Rec. 87
It should be ascertained whether all appropriate technological...
Rec. 88
In setting detailed rules concerning the format and procedures...
Rec. 89
Directive 95/46/EC provided for a general obligation to notify the...
Rec. 90
In such cases, a data protection impact assessment should be carried...
Rec. 91
This should in particular apply to large-scale processing operations...
Rec. 92
There are circumstances under which it may be reasonable and...
Rec. 93
In the context of the adoption of the Member State law on which the...
Rec. 94
Where a data protection impact assessment indicates that the...
Rec. 95
The processor should assist the controller, where necessary and upon...
Rec. 96
A consultation of the supervisory authority should also take place in...
Rec. 97
Where the processing is carried out by a public authority, except for...
Rec. 98
Associations or other bodies representing categories of controllers...
Rec. 99
When drawing up a code of conduct, or when amending or extending such...
Rec. 100
In order to enhance transparency and compliance with this Regulation,...
Rec. 101
Flows of personal data to and from countries outside the Union and...
Rec. 102
This Regulation is without prejudice to international agreements...
Rec. 103
The Commission may decide with effect for the entire Union that a...
Rec. 104
In line with the fundamental values on which the Union is founded, in...
Rec. 105
Apart from the international commitments the third country or...
Rec. 106
The Commission should monitor the functioning of decisions on the...
Rec. 107
The Commission may recognise that a third country, a territory or a...
Rec. 108
In the absence of an adequacy decision, the controller or processor...
Rec. 109
The possibility for the controller or processor to use standard...
Rec. 110
A group of undertakings, or a group of enterprises engaged in a joint...
Rec. 111
Provisions should be made for the possibility for transfers in...
Rec. 112
Those derogations should in particular apply to data transfers...
Rec. 113
Transfers which can be qualified as not repetitive and that only...
Rec. 114
In any case, where the Commission has taken no decision on the...
Rec. 115
Some third countries adopt laws, regulations and other legal acts...
Rec. 116
When personal data moves across borders outside the Union it may put...
Rec. 117
The establishment of supervisory authorities in Member States,...
Rec. 118
The independence of supervisory authorities should not mean that the...
Rec. 119
Where a Member State establishes several supervisory authorities, it...
Rec. 120
Each supervisory authority should be provided with the financial and...
Rec. 121
The general conditions for the member or members of the supervisory...
Rec. 122
Each supervisory authority should be competent on the territory of...
Rec. 123
The supervisory authorities should monitor the application of the...
Rec. 124
Where the processing of personal data takes place in the context of...
Rec. 125
The lead authority should be competent to adopt binding decisions...
Rec. 126
The decision should be agreed jointly by the lead supervisory...
Rec. 127
Each supervisory authority not acting as the lead supervisory...
Rec. 128
The rules on the lead supervisory authority and the one-stop-shop...
Rec. 129
In order to ensure consistent monitoring and enforcement of this...
Rec. 130
Where the supervisory authority with which the complaint has been...
Rec. 131
Where another supervisory authority should act as a lead supervisory...
Rec. 132
Awareness-raising activities by supervisory authorities addressed to...
Rec. 133
The supervisory authorities should assist each other in performing...
Rec. 134
Each supervisory authority should, where appropriate, participate in...
Rec. 135
In order to ensure the consistent application of this Regulation...
Rec. 136
In applying the consistency mechanism, the Board should, within a...
Rec. 137
There may be an urgent need to act in order to protect the rights and...
Rec. 138
The application of such mechanism should be a condition for the...
Rec. 139
In order to promote the consistent application of this Regulation,...
Rec. 140
The Board should be assisted by a secretariat provided by the...
Rec. 141
Every data subject should have the right to lodge a complaint with a...
Rec. 142
Where a data subject considers that his or her rights under this...
Rec. 143
Any natural or legal person has the right to bring an action for...
Rec. 144
Where a court seized of proceedings against a decision by a...
Rec. 145
For proceedings against a controller or processor, the plaintiff...
Rec. 146
The controller or processor should compensate any damage which a...
Rec. 147
Where specific rules on jurisdiction are contained in this...
Rec. 148
In order to strengthen the enforcement of the rules of this...
Rec. 149
Member States should be able to lay down the rules on criminal...
Rec. 150
In order to strengthen and harmonise administrative penalties for...
Rec. 151
The legal systems of Denmark and Estonia do not allow for...
Rec. 152
Where this Regulation does not harmonise administrative penalties or...
Rec. 153
Member States law should reconcile the rules governing freedom of...
Rec. 154
This Regulation allows the principle of public access to official...
Rec. 155
Member State law or collective agreements, including ‘works...
Rec. 156
The processing of personal data for archiving purposes in the public...
Rec. 157
By coupling information from registries, researchers can obtain new...
Rec. 158
Where personal data are processed for archiving purposes, this...
Rec. 159
Where personal data are processed for scientific research purposes,...
Rec. 160
Where personal data are processed for historical research purposes,...
Rec. 161
For the purpose of consenting to the participation in scientific...
Rec. 162
Where personal data are processed for statistical purposes, this...
Rec. 163
The confidential information which the Union and national statistical...
Rec. 164
As regards the powers of the supervisory authorities to obtain from...
Rec. 165
This Regulation respects and does not prejudice the status under...
Rec. 166
In order to fulfil the objectives of this Regulation, namely to...
Rec. 167
In order to ensure uniform conditions for the implementation of this...
Rec. 168
The examination procedure should be used for the adoption of...
Rec. 169
The Commission should adopt immediately applicable implementing acts...
Rec. 170
Since the objective of this Regulation, namely to ensure an...
Rec. 171
Directive 95/46/EC should be repealed by this Regulation. Processing...
Rec. 172
The European Data Protection Supervisor was consulted in accordance...
Rec. 173
This Regulation should apply to all matters concerning the protection...
Need to comply with GDPR?
Our DPO and CISO team supports over 80 Luxembourg organisations. Free diagnosis, quote within 48h.
Request a diagnosis →