- Article 1: Subject-matter and objectives
- Article 2: Material scope
- Article 3: Territorial scope
- Article 4: Definitions
- Article 5: Principles relating to processing of personal data
- Article 6: Lawfulness of processing
- Article 7: Conditions for consent
- Article 8: Conditions applicable to child's consent in relation to information society services
- Article 9: Processing of special categories of personal data
- Article 10: Processing of personal data relating to criminal convictions and offences
- Article 11: Processing which does not require identification
Chapter III: Rights of the data subject
- Section 1: Transparency and modalities
- Section 2: Information and access to personal data
- Section 3: Rectification and erasure
- Section 4: Right to object and automated individual decision-making
- Section 5: Restrictions
Chapter IV: Controller and processor
- Section 1: General obligations
- Article 24: Responsibility of the controller
- Article 25: Data protection by design and by default
- Article 26: Joint controllers
- Article 27: Representatives of controllers or processors not established in the Union
- Article 28: Processor
- Article 29: Processing under the authority of the controller or processor
- Article 30: Records of processing activities
- Article 31: Cooperation with the supervisory authority
- Section 2: Security of personal data
- Section 3: Data protection impact assessment and prior consultation
- Section 4: Data protection officer
- Section 5: Codes of conduct and certification
Chapter V: Transfers of personal data to third countries or international organisations
- Article 44: General principle for transfers
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Article 47: Binding corporate rules
- Article 48: Transfers or disclosures not authorised by Union law
- Article 49: Derogations for specific situations
- Article 50: International cooperation for the protection of personal data
Chapter VI: Independent supervisory authorities
- Section 1: Independent status
- Section 2: Competence, tasks and powers
Chapter VII: Cooperation and consistency
- Section 1: Cooperation
- Section 2: Consistency
- Section 3: European data protection board
Chapter VIII: Remedies, liability and penalties
- Article 77: Right to lodge a complaint with a supervisory authority
- Article 78: Right to an effective judicial remedy against a supervisory authority
- Article 79: Right to an effective judicial remedy against a controller or processor
- Article 80: Representation of data subjects
- Article 81: Suspension of proceedings
- Article 82: Right to compensation and liability
- Article 83: General conditions for imposing administrative fines
- Article 84: Penalties
Chapter IX: Provisions relating to specific processing situations
- Article 85: Processing and freedom of expression and information
- Article 86: Processing and public access to official documents
- Article 87: Processing of the national identification number
- Article 88: Processing in the context of employment
- Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Article 90: Obligations of secrecy
- Article 91: Existing data protection rules of churches and religious associations
Chapter X: Delegated acts and implementing acts
- Article 94: Repeal of Directive 95/46/EC
- Article 95: Relationship with Directive 2002/58/EC
- Article 96: Relationship with previously concluded Agreements
- Article 97: Commission reports
- Article 98: Review of other Union legal acts on data protection
- Article 99: Entry into force and application