The EU General Data Protection Regulation (GDPR): A Commentary

Foreword
Editors’ Preface
Contents
Table of Cases
Table of Instruments
List of Abbreviations
List of Contributors
Background and Evolution of the EU General Data Protection Regulation (GDPR) (Christopher Kuner, Lee A. Bygrave and Christopher Docksey)
Chapter I: General Provisions (Articles 1–4)
	Article 1 Subject-matter and objectives (Hielke Hijmans)
	Article 2 Material scope (Herke Kranenborg)
	Article 3 Territorial scope (Dan Jerker B. Svantesson)
	Article 4 Definitions (Luca Tosoni and Lee A. Bygrave)
	Article 4(1) Personal data (Lee A. Bygrave and Luca Tosoni)
	Article 4(2) Processing (Luca Tosoni and Lee A. Bygrave)
	Article 4(3) Restriction of processing (Luca Tosoni)
	Article 4(4) Profiling (Lee A. Bygrave)
	Article 4(5) Pseudonymisation (Luca Tosoni)
	Article 4(6) Filing system (Luca Tosoni)
	Article 4(7) Controller (Lee A. Bygrave and Luca Tosoni)
	Article 4(8) Processor (Lee A. Bygrave and Luca Tosoni)
	Article 4(9) Recipient (Luca Tosoni)
	Article 4(10) Third party (Luca Tosoni)
	Article 4(11) Consent (Lee A. Bygrave and Luca Tosoni)
	Article 4(12) Personal data breach (Luca Tosoni)
	Article 4(13) Genetic data (Lee A. Bygrave and Luca Tosoni)
	Article 4(14) Biometric data (Lee A. Bygrave and Luca Tosoni)
	Article 4(15) Data concerning health (Lee A. Bygrave and Luca Tosoni)
	Article 4(16) Main establishment (Luca Tosoni)
	Article 4(17) Representative (Luca Tosoni)
	Article 4(18) Enterprise (Lee A. Bygrave and Luca Tosoni)
	Article 4(19) Group of undertakings (Luca Tosoni)
	Article 4(20) Binding corporate rules (Luca Tosoni)
	Article 4(21) Supervisory authority (Lee A. Bygrave)
	Article 4(22) Supervisory authority concerned (Luca Tosoni)
	Article 4(23) Cross- border processing (Luca Tosoni)
	Article 4(24) Relevant and reasoned objection (Luca Tosoni)
	Article 4(25) Information society service (Luca Tosoni)
	Article 4(26) International organisation (Lee A. Bygrave and Luca Tosoni)
Chapter II: Principles (Articles 5–11)
	Article 5 Principles relating to processing of personal data (Cécile de Terwangne)
	Article 6 Lawfulness of processing (Waltraut Kotschy)
	Article 7 Conditions for consent (Eleni Kosta)
	Article 8 Conditions applicable to child’s consent in relation to information society services (Eleni Kosta)
	Article 9 Processing of special categories of personal data (Ludmila Georgieva and Christopher Kuner)
	Article 10 Processing of personal data relating to criminal convictions and offences (Ludmila Georgieva)
	Article 11 Processing which does not require identification (Ludmila Georgieva)
Chapter III: Rights of the Data Subject (Articles 12–23)
	Section 1 Transparency and modalities
		Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject (Radim Polčák)
	Section 2 Information and access to personal data
		Article 13 Information to be provided where personal data are collected from the data subject (Gabriela Zanfir-Fortuna)
		Article 14 Information to be provided where personal data have not been obtained from the data subject (Gabriela Zanfir- Fortuna)
		Article 15 Right of access by the data subject (Gabriela Zanfir- Fortuna)
	Section 3 Rectification and erasure
		Article 16 Right to rectification (Cécile de Terwangne)
		Article 17 Right to erasure (‘right to be forgotten’) (Herke Kranenborg)
		Article 18 Right to restriction of processing (Gloria González Fuster)
		Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing (Gloria González Fuster)
		Article 20 Right to data portability (Orla Lynskey)
	Section 4 Right to object and automated individual decision-making
		Article 21 Right to object (Gabriela Zanfir-Fortuna)
		Article 22 Automated individual decision-making, including profiling (Lee A. Bygrave)
	Section 5 Restrictions
		Article 23 Restrictions (Dominique Moore)
Chapter IV: Controller and Processor (Articles 24–43)
	Section 1 General obligations
		Article 24 Responsibility of the controller (Christopher Docksey)
		Article 25 Data protection by design and by default (Lee A. Bygrave)
		Article 26 Joint controllers (Christopher Millard and Dimitra Kamarinou)
		Article 27 Representatives of controllers or processors not established in the Union (Christopher Millard and Dimitra Kamarinou)
		Article 28 Processor (Christopher Millard and Dimitra Kamarinou)
		Article 29 Processing under the authority of the controller or processor (Christopher Millard and Dimitra Kamarinou)
		Article 30 Records of processing activities (Waltraut Kotschy)
		Article 31 Cooperation with the supervisory authority (Waltraut Kotschy)
	Section 2 Security of personal data
		Article 32 Security of processing (Cédric Burton)
		Article 33 Notification of a personal data breach to the supervisoryauthority (Cédric Burton)
		Article 34 Communication of a personal data breach to the data subject (Cédric Burton)
	Section 3 Data protection impact assessment and prior consultation
		Article 35 Data protection impact assessment (Eleni Kosta)
		Article 36 Prior consultation (Cecilia Alvarez Rigaudias and Alessandro Spina)
	Section 4 Data protection officer
		Article 37 Designation of the data protection officer (Cecilia Alvarez Rigaudias and Alessandro Spina)
		Article 38 Position of the data protection officer (Cecilia Alvarez Rigaudias and Alessandro Spina)
		Article 39 Tasks of the data protection officer (Cecilia Alvarez Rigaudias and Alessandro Spina)
	Section 5 Codes of conduct and certification
		Article 40 Codes of conduct (Irene Kamara)
		Article 41 Monitoring of approved codes of conduct (Irene Kamara)
		Article 42 Certification (Ronald Leenes)
		Article 43 Certification bodies (Ronald Leenes)
Chapter V: Transfers of Personal Data to Third Countries or International Organisations (Articles 44–50)
	Article 44 General principle for transfers (Christopher Kuner)
	Article 45 Transfers on the basis of an adequacy decision (Christopher Kuner)
	Article 46 Transfers subject to appropriate safeguards (Christopher Kuner)
	Article 47 Binding corporate rules (Christopher Kuner)
	Article 48 Transfers or disclosures not authorised by Union law (Christopher Kuner)
	Article 49 Derogations for specific situations (Christopher Kuner)
	Article 50 International cooperation for the protection of personal data (Christopher Kuner)
Chapter VI: Independent Supervisory Authorities (Articles 51–59)
	Section 1 Independent status
		Article 51 Supervisory authority (Hielke Hijmans)
		Article 52 Independence (Thomas Zerdick)
		Article 53 General conditions for the members of the supervisory authority (Hielke Hijmans)
		Article 54 Rules on the establishment of the supervisory authority (Hielke Hijmans)
	Section 2 Competence, tasks and powers
		Article 55 Competence (Hielke Hijmans)
		Article 56 Competence of the lead supervisory authority (Hielke Hijmans)
		Article 57 Tasks (Hielke Hijmans)
		Article 58 Powers (Ludmila Georgieva and Matthias Schmidl)
		Article 59 Activity reports (Hielke Hijmans)
Chapter VII: Cooperation and Consistency (Articles 60–76)
	Section 1 Cooperation
		Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned (Luca Tosoni)
		Article 61 Mutual assistance (Peter Blume)
		Article 62 Joint operations of supervisory authorities (Peter Blume)
	Section 2 Consistency
		Article 63 Consistency mechanism (Patrick Van Eecke and Anrijs Šimkus)
		Article 64 Opinion of the Board (Patrick Van Eecke and Anrijs Šimkus)
		Article 65 Dispute resolution by the Board (Hielke Hijmans)
		Article 66 Urgency procedure (Ludmila Georgieva)
		Article 67 Exchange of information (Patrick Van Eecke and Anrijs Šimkus)
	Section 3 European Data Protection Board
		Article 68 European Data Protection Board (Christopher Docksey)
		Article 69 Independence (Christopher Docksey)
		Article 70 Tasks of the Board (Christopher Docksey)
		Article 71 Reports (Christopher Docksey)
		Article 72 Procedure (Christopher Docksey)
		Article 73 Chair (Christopher Docksey)
		Article 74 Tasks of the Chair (Christopher Docksey)
		Article 75 Secretariat (Christopher Docksey)
		Article 76 Confidentiality (Christopher Docksey)
Chapter VIII: Remedies, Liability and Penalties (Articles 77–84)
	Article 77 Right to lodge a complaint with a supervisory authority (Waltraut Kotschy)
	Article 78 Right to an effective judicial remedy against a supervisory authority (Waltraut Kotschy)
	Article 79 Right to an effective judicial remedy against a controller or processor (Waltraut Kotschy)
	Article 80 Representation of data subjects (Gloria González Fuster)
	Article 81 Suspension of proceedings (Waltraut Kotschy)
	Article 82 Right to compensation and liability (Gabriela Zanfir- Fortuna)
	Article 83 General conditions for imposing administrative fines (Waltraut Kotschy)
	Article 84 Penalties (Orla Lynskey)
Chapter IX: Provisions Relating to Specific Processing Situations (Articles 85–91)
	Article 85 Processing and freedom of expression and information (Herke Kranenborg)
	Article 86 Processing and public access to official documents (Herke Kranenborg)
	Article 87 Processing of the national identification number (Patrick Van Eecke and Anrijs Šimkus)
	Article 88 Processing in the context of employment (Patrick Van Eecke and Anrijs Šimkus)
	Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
	Article 90 Obligations of secrecy (Christian Wiese Svanberg)
	Article 91 Existing data protection rules of churches and religious associations (Luca Tosoni)
Chapter X: Delegated Acts and Implementing Acts (Articles 92–93)
	Article 92 Exercise of the delegation (Luca Tosoni)
	Article 93 Committee procedure (Luca Tosoni)
Chapter XI: Final Provisions (Articles 94– 99)
	Article 94 Repeal of Directive 95/ 46/ EC (Dominique Moore)
	Article 95 Relationship with Directive 2002/58/EC (Piedade Costa de Oliveira)
	Article 96 Relationship with previously concluded Agreements (Dominique Moore)
	Article 97 Commission reports (Thomas Zerdick)
	Article 98 Review of other Union legal acts on data protection (Luca Tosoni)
	Article 99 Entry into force and application (Dominique Moore)
Index