📖 Your Complete GDPR Article Reference
This comprehensive guide breaks down all 99 GDPR articles with specific focus on what's tested in the CIPP/E exam. Learn which articles appear most frequently, understand key provisions, master important definitions, and identify common exam scenarios. Each article includes exam tips, related recitals, and practice focus areas.
99
Total Articles
173
Recitals
11
Chapters
Top 20
Most Tested
🔍 Quick Navigation
Jump to Chapter:
🚨 Top 20 Most-Tested Articles for CIPP/E
- Article 4 - Definitions
- Article 5 - Principles
- Article 6 - Lawfulness
- Article 7 - Consent
- Article 9 - Special Categories
- Articles 12-14 - Transparency
- Article 15 - Access
- Article 17 - Erasure
- Article 25 - Data Protection by Design
- Article 28 - Processor
- Article 30 - Records
- Article 32 - Security
- Articles 33-34 - Breach
- Article 35 - DPIA
- Articles 37-39 - DPO
- Articles 44-46 - Transfers
- Article 49 - Derogations
- Article 56 - Lead Authority
- Article 83 - Fines
Chapter I - General Provisions (Articles 1-4)
Foundation & Definitions
The cornerstone of GDPR - Sets scope, objectives, and key terminology
Art. 1Subject-matter and Objectives
Establishes GDPR's dual purpose: protecting fundamental rights and ensuring free movement of personal data within the EU.
Key Points: Protection of natural persons, fundamental rights and freedoms, free movement not restricted
Exam Tip: Questions often test understanding that GDPR balances protection with data flow - not just restriction
Art. 2Material Scope
Defines what processing falls under GDPR and important exclusions.
Applies to: Wholly/partly automated processing, manual filing systems
Excludes: Purely personal/household activities, law enforcement (LED applies), national security, deceased persons
Excludes: Purely personal/household activities, law enforcement (LED applies), national security, deceased persons
Exam Tip: Household exemption has limits - social media sharing often falls outside exemption
Art. 3Territorial Scope
Determines when GDPR applies to organizations inside and outside the EU.
Two triggers:
1. Establishment: Processing in context of EU establishment activities
2. Targeting: Offering goods/services OR monitoring behavior in EU
1. Establishment: Processing in context of EU establishment activities
2. Targeting: Offering goods/services OR monitoring behavior in EU
Exam Tip: "Establishment" is broad - includes real and effective activity through stable arrangements. Website in EU language alone doesn't trigger Article 3(2)
Art. 4Definitions ⭐ CRITICAL
26 essential definitions forming GDPR's vocabulary - MUST memorize all for exam.
Top 10 Must-Know Definitions:
- Personal data: Any information relating to identified/identifiable natural person
- Processing: Any operation on personal data (collection to destruction)
- Controller: Determines purposes and means of processing
- Processor: Processes on behalf of controller
- Data subject: Identified/identifiable natural person
- Consent: Freely given, specific, informed, unambiguous indication
- Personal data breach: Accidental/unlawful destruction, loss, alteration, disclosure, access
- Special categories: Racial/ethnic, political, religious, genetic, biometric, health, sex life
- Pseudonymisation: Cannot identify without additional information kept separately
- Filing system: Structured set of personal data accessible by criteria
Exam Strategy: Create flashcards for all 26 definitions. Exam tests nuanced understanding - e.g., "identifiable" includes online identifiers, location data
Chapter II - Principles (Articles 5-11)
Core Data Protection Principles
Fundamental rules governing all processing activities
Art. 5Principles ⭐ CRITICAL
Seven fundamental principles that underpin all GDPR obligations.
The 7 Principles (memorize acronym: LAFS PIC):
- Lawfulness, fairness and transparency: Process legally, fairly, transparently
- Purpose limitation: Specified, explicit, legitimate purposes
- Data minimisation: Adequate, relevant, limited to necessary
- Accuracy: Accurate and kept up to date
- Storage limitation: No longer than necessary
- Integrity and confidentiality: Appropriate security
- Accountability: Demonstrate compliance with above
Exam Focus: Questions test applying principles to scenarios. Understand "compatible purposes" for further processing, especially archiving/research exceptions
Art. 6Lawfulness of Processing ⭐ CRITICAL
Six legal bases - processing is only lawful if at least one applies.
The 6 Legal Bases:
(a) Consent - Clear affirmative action
(b) Contract - Necessary for contract performance
(c) Legal obligation - Controller subject to legal requirement
(d) Vital interests - Life or death situations
(e) Public task - Public interest or official authority
(f) Legitimate interests - Requires balancing test
(a) Consent - Clear affirmative action
(b) Contract - Necessary for contract performance
(c) Legal obligation - Controller subject to legal requirement
(d) Vital interests - Life or death situations
(e) Public task - Public interest or official authority
(f) Legitimate interests - Requires balancing test
Common Traps: Cannot switch bases mid-processing. Legitimate interests not available for public authorities. "Necessary" means more than useful but less than essential
Art. 7Conditions for Consent
Specific requirements when relying on consent as lawful basis.
Key Requirements:
• Demonstrable (burden of proof on controller)
• Clear and plain language
• Distinguishable from other matters
• Withdrawable as easily as given
• Not valid if clear imbalance (employer/employee)
• Demonstrable (burden of proof on controller)
• Clear and plain language
• Distinguishable from other matters
• Withdrawable as easily as given
• Not valid if clear imbalance (employer/employee)
Exam Alert: Pre-ticked boxes = invalid consent. Consent for different purposes must be granular
Art. 8Child's Consent
Special rules for information society services offered directly to children.
Age Thresholds:
• Default: 16 years
• Member States can lower to 13 (not below)
• Variations: UK/Sweden (13), France/Germany (15), others (16)
• Default: 16 years
• Member States can lower to 13 (not below)
• Variations: UK/Sweden (13), France/Germany (15), others (16)
Know This: Parental consent required below threshold. Controller must make "reasonable efforts" to verify considering available technology
Art. 9Special Categories ⭐ CRITICAL
Processing of sensitive data is prohibited unless specific exception applies.
Special Categories:
Racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data, sex life/sexual orientation
Key Exceptions (10 total):
(a) Explicit consent
(b) Employment/social security law
(c) Vital interests (subject incapable)
(d) Legitimate activities (non-profit bodies)
(e) Manifestly made public
(f) Legal claims
(g) Substantial public interest
(h) Health/social care
(i) Public health
(j) Archiving/research
Racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data, sex life/sexual orientation
Key Exceptions (10 total):
(a) Explicit consent
(b) Employment/social security law
(c) Vital interests (subject incapable)
(d) Legitimate activities (non-profit bodies)
(e) Manifestly made public
(f) Legal claims
(g) Substantial public interest
(h) Health/social care
(i) Public health
(j) Archiving/research
Exam Focus: Questions test recognizing what qualifies as special category data and matching correct exception to scenario
Art. 10Criminal Convictions Data
Processing only under official authority control or when authorized by law.
Remember: More restrictive than special categories - comprehensive register only under official authority
Art. 11Processing Not Requiring Identification
No obligation to maintain/acquire additional information solely for GDPR compliance.
Practical Application: If controller can't identify individuals, Articles 15-20 don't apply unless data subject provides additional information
Chapter III - Rights of the Data Subject (Articles 12-23)
Data Subject Rights & Transparency
Core rights and how to exercise them - heavily tested area
Art. 12Transparent Information & Modalities
General rules for exercising rights and controller communication.
Response Timelines:
• Standard: 1 month from receipt
• Extension: +2 months for complex/numerous requests (must inform within 1 month)
• No action: Inform within 1 month with reasons
• Standard: 1 month from receipt
• Extension: +2 months for complex/numerous requests (must inform within 1 month)
• No action: Inform within 1 month with reasons
Key Rules:
• Information free of charge (excessive requests exception)
• Concise, transparent, intelligible, clear language
• Identity verification may be required
• Information free of charge (excessive requests exception)
• Concise, transparent, intelligible, clear language
• Identity verification may be required
Arts. 13-14Information to be Provided ⭐ CRITICAL
Transparency requirements differ based on collection source.
Article 13 - Direct Collection:
Provide at time of obtaining data
Article 14 - Indirect Collection:
Within reasonable period (max 1 month)
At first communication if used for that
Before disclosure to another recipient
Provide at time of obtaining data
Article 14 - Indirect Collection:
Within reasonable period (max 1 month)
At first communication if used for that
Before disclosure to another recipient
Must Provide (both articles):
• Controller identity and contact
• DPO contact (if applicable)
• Purposes and legal basis
• Legitimate interests (if applicable)
• Recipients or categories
• International transfers
• Retention period/criteria
• Data subject rights
• Right to complain to SA
• Whether statutory/contractual requirement
• Automated decision-making existence
• Controller identity and contact
• DPO contact (if applicable)
• Purposes and legal basis
• Legitimate interests (if applicable)
• Recipients or categories
• International transfers
• Retention period/criteria
• Data subject rights
• Right to complain to SA
• Whether statutory/contractual requirement
• Automated decision-making existence
Article 14 Exceptions: Already has information, impossible/disproportionate effort, legal obligation, professional secrecy
Art. 15Right of Access ⭐ CRITICAL
Right to obtain confirmation and access to personal data.
Must Provide:
• Purposes of processing
• Categories of data
• Recipients/categories
• Retention period
• Rights (rectification, erasure, restriction, objection)
• Right to complain
• Source (if not collected directly)
• Automated decision-making
• Transfer safeguards
• Purposes of processing
• Categories of data
• Recipients/categories
• Retention period
• Rights (rectification, erasure, restriction, objection)
• Right to complain
• Source (if not collected directly)
• Automated decision-making
• Transfer safeguards
Copy Rights: First copy free, reasonable fee for additional. Electronic request = electronic format. Cannot adversely affect others' rights
Art. 16Right to Rectification
Right to correct inaccurate data and complete incomplete data.
Remember: "Without undue delay" timeline. Includes right to provide supplementary statement
Art. 17Right to Erasure ("Right to be Forgotten") ⭐ CRITICAL
Right to have personal data erased in specific circumstances.
Six Grounds for Erasure:
• Freedom of expression
• Legal obligation/public interest
• Public health reasons
• Archiving/research (would impair objectives)
• Legal claims
- No longer necessary for original purposes
- Consent withdrawn (and no other legal basis)
- Successful objection under Art. 21
- Unlawfully processed
- Legal obligation requires erasure
- Children's data under Art. 8
• Freedom of expression
• Legal obligation/public interest
• Public health reasons
• Archiving/research (would impair objectives)
• Legal claims
Public Disclosure: If data made public, must take reasonable steps (including technical) to inform other controllers
Art. 18Right to Restriction
Right to limit processing in specific situations.
Four Grounds:
1. Accuracy contested (while verifying)
2. Unlawful but subject opposes erasure
3. Controller no longer needs but subject needs for legal claims
4. Pending decision on Art. 21 objection
1. Accuracy contested (while verifying)
2. Unlawful but subject opposes erasure
3. Controller no longer needs but subject needs for legal claims
4. Pending decision on Art. 21 objection
Art. 19Notification Obligation
Must inform recipients about rectification, erasure, or restriction.
Exception: Impossible or disproportionate effort. Must inform data subject about recipients if requested
Art. 20Right to Data Portability
Right to receive and transmit data in structured, commonly used format.
Conditions (ALL must apply):
• Processing based on consent OR contract
• Processing carried out by automated means
• Data provided by the data subject
Format: Structured, commonly used, machine-readable
• Processing based on consent OR contract
• Processing carried out by automated means
• Data provided by the data subject
Format: Structured, commonly used, machine-readable
Scope: Only data "provided by" subject (includes observed data like activity logs, excludes inferred/derived data)
Art. 21Right to Object ⭐ CRITICAL
Right to object to processing in specific circumstances.
Two Types:
1. General Objection (Art. 21(1)):
• Applies to: Public task (e) or legitimate interests (f)
• Controller must stop UNLESS compelling legitimate grounds that override
2. Direct Marketing (Art. 21(2-3)):
• ABSOLUTE right - no exceptions
• Includes profiling related to direct marketing
• Must be explicitly brought to attention at first communication
1. General Objection (Art. 21(1)):
• Applies to: Public task (e) or legitimate interests (f)
• Controller must stop UNLESS compelling legitimate grounds that override
2. Direct Marketing (Art. 21(2-3)):
• ABSOLUTE right - no exceptions
• Includes profiling related to direct marketing
• Must be explicitly brought to attention at first communication
Critical: Direct marketing objection is absolute. General objection allows controller to demonstrate compelling grounds
Art. 22Automated Decision-Making & Profiling
Right not to be subject to solely automated decisions with legal/significant effects.
General Rule: Prohibited
Three Exceptions:
1. Necessary for contract
2. Authorized by law with safeguards
3. Explicit consent
Special Categories: Only with explicit consent OR substantial public interest
Three Exceptions:
1. Necessary for contract
2. Authorized by law with safeguards
3. Explicit consent
Special Categories: Only with explicit consent OR substantial public interest
Safeguards Required: Right to human intervention, express views, contest decision
Art. 23Restrictions
Member States can restrict rights via legislative measures for specific objectives.
Permitted Objectives Include: National security, defense, public security, criminal investigations, important economic interests, public health, professional ethics
Chapter IV - Controller and Processor (Articles 24-43)
Organizational Obligations & Accountability
Technical and organizational measures for compliance
Art. 24Responsibility of Controller
General accountability obligation - implement and demonstrate compliance.
Key Principle: Risk-based approach considering nature, scope, context, purposes, and risks
Art. 25Data Protection by Design and Default ⭐ CRITICAL
Proactive implementation of data protection principles.
By Design: Implement appropriate measures at determination of means AND at processing
By Default: Only process data necessary for specific purpose (amount, extent, retention, accessibility)
By Default: Only process data necessary for specific purpose (amount, extent, retention, accessibility)
Examples: Pseudonymisation, data minimization, transparency measures. Default settings must be privacy-friendly
Art. 26Joint Controllers
Two or more controllers jointly determining purposes and means.
Requirements:
• Transparent arrangement determining responsibilities
• Essence made available to data subjects
• Each can be contacted by data subjects
• Transparent arrangement determining responsibilities
• Essence made available to data subjects
• Each can be contacted by data subjects
Art. 27Representatives of Non-EU Controllers
Required when Article 3(2) applies but no EU establishment.
Exceptions: Occasional processing, no special categories/criminal data, unlikely risk to rights
Art. 28Processor ⭐ CRITICAL
Requirements for using processors and mandatory contract terms.
Mandatory Contract Elements:
• Subject-matter, duration, nature, purpose
• Type of personal data and categories of subjects
• Controller obligations and rights
• Process only on documented instructions
• Confidentiality obligations
• Article 32 security compliance
• Sub-processor rules
• Assist with data subject rights
• Assist with compliance (DPIAs, security, breach)
• Delete/return after services end
• Demonstrate compliance/allow audits
• Subject-matter, duration, nature, purpose
• Type of personal data and categories of subjects
• Controller obligations and rights
• Process only on documented instructions
• Confidentiality obligations
• Article 32 security compliance
• Sub-processor rules
• Assist with data subject rights
• Assist with compliance (DPIAs, security, breach)
• Delete/return after services end
• Demonstrate compliance/allow audits
Sub-processors: Need prior specific or general written authorization. Processor liable if sub fails
Art. 30Records of Processing Activities ⭐ CRITICAL
Documentation requirement for controllers and processors.
Controller Records Include:
• Name/contact details
• Purposes
• Categories of subjects and data
• Recipients
• International transfers
• Retention periods
• Security measures description
• Name/contact details
• Purposes
• Categories of subjects and data
• Recipients
• International transfers
• Retention periods
• Security measures description
Exemption: Organizations <250 employees UNLESS: risk to rights, not occasional, includes special categories/criminal data
Art. 32Security of Processing ⭐ CRITICAL
Technical and organizational measures for appropriate security.
Consider: State of art, costs, nature/scope/context/purposes, risk
Example Measures:
• Pseudonymisation and encryption
• Ensuring confidentiality, integrity, availability, resilience
• Restore availability after incident
• Regular testing and evaluation
Example Measures:
• Pseudonymisation and encryption
• Ensuring confidentiality, integrity, availability, resilience
• Restore availability after incident
• Regular testing and evaluation
Arts. 33-34Personal Data Breach ⭐ CRITICAL
Article 33 - Notification to Authority:
• Timeline: 72 hours after awareness
• Late notification must include reasons
• Not required if unlikely risk to rights
Article 34 - Communication to Data Subject:
• Required for HIGH risk to rights
• Clear and plain language
• Without undue delay
• Timeline: 72 hours after awareness
• Late notification must include reasons
• Not required if unlikely risk to rights
Article 34 - Communication to Data Subject:
• Required for HIGH risk to rights
• Clear and plain language
• Without undue delay
Article 34 Exceptions:
• Encryption/measures making data unintelligible
• Subsequent measures eliminating high risk
• Disproportionate effort (use public communication)
• Encryption/measures making data unintelligible
• Subsequent measures eliminating high risk
• Disproportionate effort (use public communication)
Art. 35Data Protection Impact Assessment ⭐ CRITICAL
Required for high-risk processing before processing begins.
Required When (examples):
• Systematic extensive evaluation + automated decisions with legal effects
• Large scale special categories/criminal data
• Large scale systematic public area monitoring
• Systematic extensive evaluation + automated decisions with legal effects
• Large scale special categories/criminal data
• Large scale systematic public area monitoring
Must Contain: Description of processing, necessity/proportionality assessment, risk assessment, mitigation measures
Art. 36Prior Consultation
Required when DPIA indicates high risk without mitigation.
SA must respond within 8 weeks (extendable by 6 weeks)
Arts. 37-39Data Protection Officer ⭐ CRITICAL
Article 37 - Mandatory Appointment:
(a) Public authority/body (except courts)
(b) Core activities = regular systematic monitoring at large scale
(c) Core activities = large scale special categories/criminal data
Article 38 - Position:
• Proper and timely involvement
• Resources and access to data
• No conflict of interest
• Cannot be dismissed/penalized for tasks
• Reports to highest management
Article 39 - Tasks:
• Inform and advise
• Monitor compliance
• DPIA advice
• Cooperate with SA
• Act as contact point
(a) Public authority/body (except courts)
(b) Core activities = regular systematic monitoring at large scale
(c) Core activities = large scale special categories/criminal data
Article 38 - Position:
• Proper and timely involvement
• Resources and access to data
• No conflict of interest
• Cannot be dismissed/penalized for tasks
• Reports to highest management
Article 39 - Tasks:
• Inform and advise
• Monitor compliance
• DPIA advice
• Cooperate with SA
• Act as contact point
Key: DPO can be internal or external. Group DPO allowed if easily accessible
Chapter V - International Transfers (Articles 44-50)
Cross-Border Data Transfers
Complex rules for transfers outside EEA - heavily tested
Art. 44General Principle
All GDPR provisions must be complied with for any transfer.
Key: Chapter V is additional to, not instead of, other GDPR requirements
Art. 45Adequacy Decision
Commission determination that third country ensures adequate protection.
Current Adequate Countries/Territories: Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay
Note: US adequacy via Data Privacy Framework (replaced Privacy Shield)
Art. 46Appropriate Safeguards ⭐ CRITICAL
Transfer mechanisms when no adequacy decision exists.
With Authorization:
• Binding Corporate Rules (BCRs)
• Standard Contractual Clauses (SCCs)
• Approved code of conduct + binding commitments
• Approved certification + binding commitments
Without Authorization:
• Legally binding instrument between public authorities
• Pre-GDPR authorized BCRs/SCCs
• Binding Corporate Rules (BCRs)
• Standard Contractual Clauses (SCCs)
• Approved code of conduct + binding commitments
• Approved certification + binding commitments
Without Authorization:
• Legally binding instrument between public authorities
• Pre-GDPR authorized BCRs/SCCs
Art. 49Derogations ⭐ CRITICAL
Specific situation exceptions - interpreted strictly.
Seven Derogations:
(a) Explicit consent after information about risks
(b) Necessary for contract with data subject
(c) Necessary for contract in interest of data subject
(d) Important public interest reasons
(e) Legal claims
(f) Vital interests (subject incapable of consent)
(g) Public register
(a) Explicit consent after information about risks
(b) Necessary for contract with data subject
(c) Necessary for contract in interest of data subject
(d) Important public interest reasons
(e) Legal claims
(f) Vital interests (subject incapable of consent)
(g) Public register
Critical: Must be "necessary" not just convenient. Cannot be used for repetitive/massive/structural transfers
Chapters VI-VIII - Enforcement & Remedies (Articles 51-84)
Art. 56Lead Supervisory Authority
One-stop-shop mechanism for cross-border processing.
Lead SA: Where controller/processor has main establishment or single establishment
Art. 60Cooperation
Lead SA cooperates with concerned SAs to reach consensus.
Art. 77Right to Lodge Complaint
With SA in member state of residence, work, or infringement.
Art. 82Right to Compensation
Material or non-material damage compensation right.
Art. 83Administrative Fines ⭐ CRITICAL
Two Tiers:
Tier 1 - Up to €10M or 2% global turnover:
• Children's consent (Art. 8)
• Processing without Article 9/10 conditions
• Articles 25-39 (technical/organizational)
• Certification body obligations
• Monitoring body obligations
Tier 2 - Up to €20M or 4% global turnover:
• Basic principles (Art. 5, 6, 7, 9)
• Data subject rights (Art. 12-22)
• International transfers (Art. 44-49)
• Member state law obligations
• Non-compliance with SA order
Tier 1 - Up to €10M or 2% global turnover:
• Children's consent (Art. 8)
• Processing without Article 9/10 conditions
• Articles 25-39 (technical/organizational)
• Certification body obligations
• Monitoring body obligations
Tier 2 - Up to €20M or 4% global turnover:
• Basic principles (Art. 5, 6, 7, 9)
• Data subject rights (Art. 12-22)
• International transfers (Art. 44-49)
• Member state law obligations
• Non-compliance with SA order
Factors: Nature/gravity/duration, intentional/negligent, mitigation actions, previous infringements, cooperation, categories affected, how SA learned
Test Your GDPR Article Knowledge
Practice with 1000+ CIPP/E questions covering all GDPR articles, complete with detailed explanations and exam tips.
Study Strategy for GDPR Articles
Mastering GDPR articles requires strategic focus. Here's your prioritized study approach:
- Week 1-2: Master Article 4 definitions and Article 5 principles completely
- Week 3-4: Deep dive into lawful basis (6-9) and data subject rights (12-22)
- Week 5-6: Controller/processor obligations (24-39)
- Week 7: International transfers (44-49)
- Week 8: Enforcement and fines (77-84)
Pro Tip: Create a personal "GDPR Bible" - a condensed version with key points from each article. Review this daily during your final exam week.