GDPR — Recitals

All 173 recitals of the GDPR (EU 2016/679)

• Recital 1The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of...
• Recital 2The principles of, and rules on the protection of natural persons with regard to the processing of their personal data s...
• Recital 3Directive 95/46/EC of the European Parliament and of the Councilseeks to harmonise the protection of fundamental rights ...
• Recital 4The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not...
• Recital 5The economic and social integration resulting from the functioning of the internal market has led to a substantial incre...
• Recital 6Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The ...
• Recital 7Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforceme...
• Recital 8Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, a...
• Recital 9The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implemen...
• Recital 10In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of ...
• Recital 11Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the r...
• Recital 12Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of ...
• Recital 13In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences ...
• Recital 14The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of resid...
• Recital 15In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologicall...
• Recital 16This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal d...
• Recital 17Regulation (EC) No 45/2001 of the European Parliament and of the Councilapplies to the processing of personal data by th...
• Recital 18This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal...
• Recital 19The protection of natural persons with regard to the processing of personal data by competent authorities for the purpos...
• Recital 20While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member S...
• Recital 21This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Co...
• Recital 22Any processing of personal data in the context of the activities of an establishment of a controller or a processor in t...
• Recital 23In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulat...
• Recital 24The processing of personal data of data subjects who are in the Union by a controller or processor not established in th...
• Recital 25Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller ...
• Recital 26The principles of data protection should apply to any information concerning an identified or identifiable natural perso...
• Recital 27This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding t...
• Recital 28The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help contro...
• Recital 29In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation shou...
• Recital 30Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, ...
• Recital 31Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their ...
• Recital 32Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indic...
• Recital 33It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at t...
• Recital 34Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natur...
• Recital 35Personal data concerning health should include all data pertaining to the health status of a data subject which reveal i...
• Recital 36The main establishment of a controller in the Union should be the place of its central administration in the Union, unle...
• Recital 37A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling ...
• Recital 38Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequen...
• Recital 39Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal dat...
• Recital 40In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject ...
• Recital 41Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative ...
• Recital 42Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subj...
• Recital 43In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of p...
• Recital 44Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract...
• Recital 45Where processing is carried out in accordance with a legal obligation to which the controller is subject or where proces...
• Recital 46The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which ...
• Recital 47The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, o...
• Recital 48Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate ...
• Recital 49The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network ...
• Recital 50The processing of personal data for purposes other than those for which the personal data were initially collected shoul...
• Recital 51Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit sp...
• Recital 52Derogating from the prohibition on processing special categories of personal data should also be allowed when provided f...
• Recital 53Special categories of personal data which merit higher protection should be processed for health-related purposes only w...
• Recital 54The processing of special categories of personal data may be necessary for reasons of public interest in the areas of pu...
• Recital 55Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by co...
• Recital 56Where in the course of electoral activities, the operation of the democratic system in a Member State requires that poli...
• Recital 57If the personal data processed by a controller do not permit the controller to identify a natural person, the data contr...
• Recital 58The principle of transparency requires that any information addressed to the public or to the data subject be concise, e...
• Recital 59Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, includin...
• Recital 60The principles of fair and transparent processing require that the data subject be informed of the existence of the proc...
• Recital 61The information in relation to the processing of personal data relating to the data subject should be given to him or he...
• Recital 62However, it is not necessary to impose the obligation to provide information where the data subject already possesses th...
• Recital 63A data subject should have the right of access to personal data which have been collected concerning him or her, and to ...
• Recital 64The controller should use all reasonable measures to verify the identity of a data subject who requests access, in parti...
• Recital 65A data subject should have the right to have personal data concerning him or her rectified and aright to be forgottenwhe...
• Recital 66To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such ...
• Recital 67Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected ...
• Recital 68To further strengthen the control over his or her own data, where the processing of personal data is carried out by auto...
• Recital 69Where personal data might lawfully be processed because processing is necessary for the performance of a task carried ou...
• Recital 70Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object...
• Recital 71The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal...
• Recital 72Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal ground...
• Recital 73Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of per...
• Recital 74The responsibility and liability of the controller for any processing of personal data carried out by the controller or ...
• Recital 75The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal dat...
• Recital 76The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference...
• Recital 77Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the p...
• Recital 78The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that...
• Recital 79The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers an...
• Recital 80Where a controller or a processor not established in the Union is processing personal data of data subjects who are in t...
• Recital 81To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the proc...
• Recital 82In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processi...
• Recital 83In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor ...
• Recital 84In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to t...
• Recital 85A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-ma...
• Recital 86The controller should communicate to the data subject a personal data breach, without undue delay, where that personal d...
• Recital 87It should be ascertained whether all appropriate technological protection and organisational measures have been implemen...
• Recital 88In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches,...
• Recital 89Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory author...
• Recital 90In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in or...
• Recital 91This should in particular apply to large-scale processing operations which aim to process a considerable amount of perso...
• Recital 92There are circumstances under which it may be reasonable and economical for the subject of a data protection impact asse...
• Recital 93In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or ...
• Recital 94Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security me...
• Recital 95The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligation...
• Recital 96A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or ...
• Recital 97Where the processing is carried out by a public authority, except for courts or independent judicial authorities when ac...
• Recital 98Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes ...
• Recital 99When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing...
• Recital 100In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and ...
• Recital 101Flows of personal data to and from countries outside the Union and international organisations are necessary for the exp...
• Recital 102This Regulation is without prejudice to international agreements concluded between the Union and third countries regulat...
• Recital 103The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within ...
• Recital 104In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Com...
• Recital 105Apart from the international commitments the third country or international organisation has entered into, the Commissio...
• Recital 106The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or...
• Recital 107The Commission may recognise that a third country, a territory or a specified sector within a third country, or an inter...
• Recital 108In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of d...
• Recital 109The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by ...
• Recital 110A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of a...
• Recital 111Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given hi...
• Recital 112Those derogations should in particular apply to data transfers required and necessary for important reasons of public in...
• Recital 113Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also b...
• Recital 114In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the...
• Recital 115Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing acti...
• Recital 116When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to...
• Recital 117The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their power...
• Recital 118The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to contro...
• Recital 119Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the...
• Recital 120Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necess...
• Recital 121The general conditions for the member or members of the supervisory authority should be laid down by law in each Member ...
• Recital 122Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to pe...
• Recital 123The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute ...
• Recital 124Where the processing of personal data takes place in the context of the activities of an establishment of a controller o...
• Recital 125The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it...
• Recital 126The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and sh...
• Recital 127Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where ...
• Recital 128The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is car...
• Recital 129In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory author...
• Recital 130Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead...
• Recital 131Where another supervisory authority should act as a lead supervisory authority for the processing activities of the cont...
• Recital 132Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directe...
• Recital 133The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to e...
• Recital 134Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities...
• Recital 135In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for coope...
• Recital 136In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majo...
• Recital 137There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the ...
• Recital 138The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effect...
• Recital 139In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of ...
• Recital 140The Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the Euro...
• Recital 141Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the ...
• Recital 142Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the rig...
• Recital 143Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of...
• Recital 144Where a court seized of proceedings against a decision by a supervisory authority has reason to believe that proceedings...
• Recital 145For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the c...
• Recital 146The controller or processor should compensate any damage which a person may suffer as a result of processing that infrin...
• Recital 147Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a ju...
• Recital 148In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should ...
• Recital 149Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including...
• Recital 150In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory aut...
• Recital 151The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules ...
• Recital 152Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in case...
• Recital 153Member States law should reconcile the rules governing freedom of expression and information, including journalistic, ac...
• Recital 154This Regulation allows the principle of public access to official documents to be taken into account when applying this ...
• Recital 155Member State law or collective agreements, includingworks agreements, may provide for specific rules on the processing o...
• Recital 156The processing of personal data for archiving purposes in the public interest, scientific or historical research purpose...
• Recital 157By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread m...
• Recital 158Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing ...
• Recital 159Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing...
• Recital 160Where personal data are processed for historical research purposes, this Regulation should also apply to that processing...
• Recital 161For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant pr...
• Recital 162Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Me...
• Recital 163The confidential information which the Union and national statistical authorities collect for the production of official...
• Recital 164As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data ...
• Recital 165This Regulation respects and does not prejudice the status under existing constitutional law of churches and religious a...
• Recital 166In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural p...
• Recital 167In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred...
• Recital 168The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between c...
• Recital 169The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third count...
• Recital 170Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the fr...
• Recital 171Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of thi...
• Recital 172The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and...
• Recital 173This Regulation should apply to all matters concerning the protection of fundamental rights and freedomsthe processing o...

Source: EUR-Lex CELEX 02016R0679-20160504