Article 1 : Protection of personal data of natural persons.

This Regulation sets rules to protect individuals' personal data and ensure the
free movement of such data within the EU. It safeguards the fundamental rights and
freedoms of individuals,ie right to personal data protection. Movement of personal
data within the EU cannot be restricted or prohibited.
For instance, if a company in France needs to transfer personal data to its branch
in Germany for business purposes, this Regulation ensures that such data movement
within the EU cannot be blocked or limited solely based on data protection
concerns.

Article 2: material scope of GDPR.

This Regulation applies to processing personal data done fully or partly by
computers, and also to processing personal data not done by computers but organized
in a structured way, like in filing systems.
This Regulation doesn't apply to:
Activities that aren't covered by EU laws.
Activities carried out by Member States under Chapter 2 of Title V of the TEU.
Personal or household activities done by individuals.
Processing by authorities for preventing, investigating, or prosecuting criminal
offenses or enforcing criminal penalties, including protecting public security.

An example of where this Regulation applies is when a company uses automated

systems to store and process customer information for marketing purposes. However,
it doesn't apply when an individual keeps a list of contacts on paper for personal
use, such as a handwritten address book.

Article 3: Territorial scope of GDPR.

This Regulation applies:

When a controller or processor, established in the EU, processes personal data,

regardless of where the processing occurs.
When a controller or processor, not established in the EU, processes personal data
of individuals in the EU if:
They offer goods or services to individuals in the EU, regardless of payment.
They monitor the behavior of individuals in the EU.
When a controller, not based in the EU but subject to Member State law due to
international agreements, processes personal data.

An example of this Regulation in action is when a social media platform based in

the United States offers its services to users in the European Union. Even though
the company is not physically located in the EU, it must comply with GDPR
regulations because it processes personal data of EU residents.

Article 4: It includes definitions.

1. Personal data: It means information of a natural person who is also called data
subject. A person who can be identified by name, his ID no,location, online id, or
by other types of identitiy such as his identity related to physical, economical,
social, genetic.

2. processing: It means the set of operations performed on the personal data

either/or by automated means (such as collect, record, organise, structure, store,
adapt, retrieve, use, erase, destruct), its called processing.

3. restriction of processing: It means limit the processing of stored personal

data.
4. profiling: Its type of processing where processing is done through automated
form to evaluate personal aspects of data subjects, for eg., his work performance,
economic situation, his health, his personal preferences, behaviour, location or
his movements.

5. pseudonymisation: Its a type of processing in which personal data is retrieved

only by providing additional info which is kept separated from personal data so
that alone personal data is not directly point to data subjects.

6. filing system: a set of personal data based on some specific criteria.

7. controller: means a legal person/public authority/agency/any other body who

determines the purpose and means of processing of personal data.

8. processor: means a legal person/public authority/agency/any other body who

processed personal data on behalf of controller.

9. recipient: means a legal person/public authority/agency/any other body to whom

the personal data is disclosed.

10. third party: means legal person/public authority/agency/any other body who is
authorised to process personal data but not included data
subject/controller/processor/persons who are under the direct authority of
controller or processor.

11.+ Art 7 consent: is the wish(freely given, specific,informed and unambiguous)of

data subject in the form of statement/affirmative action which means an agreement
of processing of his personal data.

12. personal data breach: means the breach of security which causes
accident/unlawful destruction/loss/alteration/access/unauthorised disclosure of the
personal data which was stored.

13. genetic data: personal data related to inheritance/acquired genetics which

gives info about physiology/health/biological sample of natural person.

14. biometric data: personal data related to physical, physiological or behavioural

characteristics of a natural person,which confirms his unique id in form of facial
images or dactyloscopic data.

15.data concerning health: personal data related to physical/mental health/data

stored at health care services.

16. main establishment: when controller/processor estb in more than one state, then
their main estb will be in the Union.

17. representative: a legal person who is representative of controller/processor

u/A27 for their GDPR obligations.

18. enterprise: a legal person engaged in economic activity and also includes
partnerships or associations.

19. group of undertakings: controlling undertaking.

20. binding corporate rules: policies adhered to controller/processor of one

territory transfer personal data to controller/processor other territory in
undertakings/enterprise.

21. supervisory authority: an independent public authority estb by member state u/A
51.

22. supervisory authority concerned: when controller/processor/data subject

residing in territory/any compliant lodged in the territory of that supervisory
authority.

23. cross-border processing: wwhen processing takes place in more than one member
states.

24. relevant and reasoned objection: objection to the decision drafted of

infringement of GDPR/risk of FRs of natural persons/free flow of personal data
within the union.

25. information society service: service defined u/A1(1)(b) of Directive (EU)

2015/1535 f the European Parliament.

26. international organisation: organisation and its subordinate bodies governed by

public international law.

Chapter2. Principles (Article 5-11)

Article 5: Principles of processing

p1. personal data shall be processed with lawfulness(Art 6), fairness and
transparency.
p2. purpose limitation: collect personal data for specified, explicit and
legitimate purposes.
p3. data minimization: adequate, relevant and limited processing.
p4. accuracy: accurate, keep uptodate and if inaccurate then erase/rectified.
p5. storage limitation: kept data no longer than the purpose;exception: archiving
purpose in public interest, scientific or historical research u/A89(1) GDPR.
p6. integrity & confidentiality: ensures security, protection against unauthorised
or unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures.
p7. accountability: controller.

An example of compliance with GDPR principles is when an online retailer collects

customer information (such as name, address, and payment details) during checkout.
The retailer must:

Clearly state why they are collecting this data (lawfulness, fairness, and
transparency).
Use the data only for processing the customer's order and not for unrelated
purposes (purpose limitation).
Collect only the necessary information required for completing the transaction,
without asking for excessive details (data minimization).
Ensure the accuracy of the data by allowing customers to update their information
and promptly correcting any errors (accuracy).
Delete the customer's personal data after completing the transaction, unless
required for record-keeping purposes (storage limitation).
Safeguard the customer's data against unauthorized access or theft using encryption
and secure servers (integrity and confidentiality).
Maintain records and documentation demonstrating compliance with GDPR principles
(accountability).

Article 6: Lawfulness(p1 of Art 5)

Processing of personal data must be lawful, and this means that at least one of the
following conditions must be met:

The data subject has given consent for the specific purpose of the processing.
Processing is necessary for fulfilling a contract with the data subject or for
taking steps before entering into a contract.
Processing is required to comply with a legal obligation.
Processing is necessary to protect vital interests of the data subject or another
person.
Processing is needed to carry out a task in the public interest or exercising
official authority.
Processing is necessary for legitimate interests pursued by the controller or a
third party, except where overridden by the interests or fundamental rights and
freedoms of the data subject, especially if the data subject is a child.
Public authorities conducting tasks are not covered by point (f).
Member States can have specific rules for processing data related to legal
obligations and public interest tasks.
The legal basis for processing must be Union law or Member State law.

An example of lawful processing under GDPR could be a healthcare provider

collecting and using a patient's personal data:

Consent: The patient consents to the processing of their personal data for medical
treatment purposes.
Contract: Processing is necessary for fulfilling the healthcare provider's contract
with the patient for medical services.
Legal obligation: The healthcare provider is required by law to maintain medical
records for a certain period.
Vital interests: Processing the patient's data is necessary to protect their life
in case of a medical emergency.
Public interest: The healthcare provider processes the data for public health
purposes, such as disease monitoring or health research.
Legitimate interests: The healthcare provider may use the data to send reminders
for appointments or to improve their services, as long as it doesn't override the
rights of the patient.
In each of these scenarios, the processing of personal data is lawful under GDPR
because it meets one of the specified conditions.

Article 7. Consent conditions

nsent is given alongside other matters in a written declaration, the consent
request must be clearly separate, easy to understand, and in simple language. If
any part of the declaration violates GDPR, it won't be valid.
Data subjects have the right to withdraw consent at any time, and this withdrawal
should be as simple as giving consent. Before giving consent, data subjects must be
informed. Consent cannot be considered freely given if agreeing to process personal
data is necessary to fulfill a contract or service, unless the data processing is
essential for that contract.

Suppose there's a healthcare app that wants to collect users' personal data for
research purposes. When users sign up for the app, they are presented with a
lengthy terms of service agreement that includes consent for data processing buried
within it. The consent language is complex and hard to understand amidst all the
legal jargon. This situation doesn't comply with GDPR because consent should be
presented clearly and distinctly from other matters, in a way that's easy for users
to understand.
Furthermore, users should have the ability to revoke their consent at any time. If
a user decides they no longer want their data used for research purposes, they
should be able to easily withdraw their consent through the app settings or by
contacting the app provider.
However, if the app makes access to its essential healthcare services conditional
on agreeing to the research data collection (which is not necessary for providing
basic healthcare services), then this could be considered coercive and would not
meet GDPR standards for freely given consent.

Article 8. Child's consent conditions

Article 8 of the GDPR pertains to the processing of personal data of children.
Here's an example:

Let's say there's an online gaming platform targeted at children aged 12-15. The
platform collects personal data such as usernames, email addresses, and age during
the sign-up process. According to Article 8 of the GDPR, if the platform wishes to
process the personal data of children under the age of 16 (which is the default age
unless Member States lower it to a minimum of 13), it must obtain consent from a
parent or guardian.
In this example, if a child under the age of 16 signs up for the gaming platform,
the platform must provide clear information to the child and their parent or
guardian about the data processing activities, including why the data is being
collected and how it will be used. The platform must then obtain verifiable consent
from the parent or guardian before processing the child's personal data.
Failure to obtain proper consent from a parent or guardian for the processing of
personal data of children under the age of 16 would violate Article 8 of the GDPR.

Article 9. special categories processing

Article 9 of the GDPR deals with the processing of special categories of personal
data, such as racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic data, biometric data, data
concerning health, or data concerning a person's sex life or sexual orientation.
Here's an example:

Let's consider a healthcare provider collecting patient information. They gather

not only basic health data but also genetic information to assess the risk of
hereditary diseases. According to Article 9 of the GDPR, processing such sensitive
genetic data requires explicit consent from the individual.
In this scenario, before collecting genetic data from patients, the healthcare
provider must clearly inform them about why this data is being collected, how it
will be used, and obtain explicit consent for its processing. Without explicit
consent, the healthcare provider cannot legally process this sensitive information,
as it falls under the special categories outlined in Article 9.

Article 10. Processing of personal data of criminal convictions and offences

Article 10 of the GDPR pertains to the processing of personal data relating to
criminal convictions and offenses or related security measures. Here's an example:

Imagine a background check company that provides services to employers. As part of

their service, they collect and process information about individuals' criminal
convictions and offenses to assess their suitability for employment.
To comply with Article 10 of the GDPR, the background check company must ensure
that they have a lawful basis for processing this sensitive information. This could
include obtaining explicit consent from the individuals, or processing the data as
necessary for the performance of a contract with the employer or to comply with
legal obligations.
Additionally, the background check company must implement appropriate security
measures to protect the confidentiality and integrity of this sensitive personal
data, as required by the GDPR.
Failure to adhere to the requirements of Article 10 could result in penalties and
sanctions under the GDPR.

Article 11. Processing which does not require identification

Article 11 of the GDPR deals with processing which does not require identification.
Here's an example:

Let's consider a scenario where a website collects statistical information about

its visitors' browsing behavior using cookies. This information includes data such
as the pages visited, time spent on each page, and the frequency of visits.
In compliance with Article 11 of the GDPR, the website may collect and process this
data without identifying individual users. Instead, they aggregate the data to
analyze overall trends and improve the website's performance and user experience.
By anonymizing the data and not identifying individual users, the website ensures
compliance with the GDPR's principles of data minimization and privacy protection.
Users can enjoy a personalized browsing experience while their identities remain
anonymous, maintaining their privacy rights under the GDPR.

Chapter 3 Rights of the data subject (Art 12-23)

Article 12. Transparent information, communication and modalities for the exercise
of the rights of the data subject

Article 12 of the GDPR focuses on transparency and communication with data subjects
regarding the processing of their personal data. Here's an example:

Let's consider an online shopping website. When a user creates an account and
provides personal information such as their name, address, payment details, and
browsing history, the website must comply with Article 12 of the GDPR.
Upon account creation, the website presents a clear and easily accessible privacy
policy or notice that outlines:
The identity and contact details of the website operator (the controller).
The purposes for which the personal data is being processed (e.g., order
fulfillment, marketing communication).
The legal basis for the processing (e.g., performance of a contract, consent).
The retention period for the personal data (e.g., data stored for as long as the
account is active).
The rights of the data subjects, including the right to access, rectify, and delete
their data, as well as the right to object to processing.
Any data transfers to third parties, along with information about safeguards in
place for such transfers.
Furthermore, the website ensures that this information is presented in plain
language and easily understandable to users, fostering transparency and enabling
users to make informed decisions about their personal data.

Article 13. Information to be provided where personal data are collected from the
data subject

1. When personal data is collected directly from the data subject, the controller
must provide the following information at that time:

Their own identity and contact details, and those of their representative if
applicable.
Contact details for the data protection officer, if applicable.
The purposes and legal basis for processing the data.
If processing is based on legitimate interests, the controller's or a third party's
interests pursued.
Any recipients or categories of recipients of the data.
If applicable, whether the data will be transferred to a third country or
international organization, and if so, whether there's an adequacy decision by the
Commission or reference to appropriate safeguards, along with how to obtain a copy
of them.

2. In addition to the previous information, the controller must also provide the
following details when collecting personal data:

How long the personal data will be kept, or if not possible, the criteria used to
determine that period.
The data subject's rights to access, rectify, erase, or restrict processing of
their data, as well as the right to data portability.
If processing is based on consent, the right to withdraw consent at any time.
The right to file a complaint with a supervisory authority.
Whether providing personal data is required by law, contract, or necessary to enter
into a contract, along with the consequences of not providing such data.
If automated decision-making or profiling is used, including information about the
logic involved, and the potential impact on the data subject.

3. If the controller plans to use the personal data for a different purpose than
originally collected, they must inform the data subject beforehand about this new
purpose and provide any additional relevant information mentioned in point 2.

Article 14. Information to be provided where personal data have not been obtained
from the data subject

1. When personal data is not obtained from the data subject, the controller must
provide the following information to the data subject:

Their own identity and contact details, and those of their representative if
applicable.
Contact details for the data protection officer, if applicable.
The purposes and legal basis for processing the data.
The categories of personal data involved.
Any recipients or categories of recipients of the data.
If applicable, whether the data will be transferred to a third country or
international organization, and if so, whether there's an adequacy decision by the
Commission or reference to appropriate safeguards, along with how to obtain a copy
of them.

2. In addition to the previous information, the controller must also provide the
following details to ensure fair and transparent processing for the data subject:

How long the personal data will be kept, or if not possible, the criteria used to
determine that period.
If processing is based on legitimate interests, the controller's or a third party's
interests pursued.
The data subject's rights to access, rectify, erase, or restrict processing of
their data, as well as the right to data portability.
If processing is based on consent, the right to withdraw consent at any time.
The right to file a complaint with

3. The controller must provide the information mentioned in paragraphs 1 and 2:

Within one month after obtaining the personal data, considering the specific
circumstances.
If the data will be used to communicate with the data subject, it must be provided
at the time of the first communication.
If the data will be disclosed to another recipient, it must be provided at the time
of the first disclosure.

4. If the controller plans to use the personal data for a different purpose than
originally obtained, they must inform the data subject before doing so, providing
information about this new purpose along with any additional relevant details
mentioned in paragraph 2.

5. Paragraphs 1 to 4 don't apply if:

The data subject already has the information.

Providing the information is impossible or would require a disproportionate effort,
especially for processing related to public interest archiving, scientific
research, or statistics, as long as the conditions in Article 89(1) are met, or if
providing the information would seriously affect the purpose of the processing. In
such cases, the controller must take measures to protect the data subject's rights
and interests, including making the information publicly available.
Union or Member State law requires obtaining or disclosing the information and
provides measures to protect the data subject's interests.
The personal data must remain confidential under Union or Member State law,
including professional secrecy obligations.

Article 15. Right of access by the data subject

1. The data subject has the right to ask the controller if their personal data are
being processed, and if so, they can access the data along with the following
details:

The purposes of the processing.

The categories of personal data involved.
Who the data has been or will be shared with, especially in other countries.
If possible, how long the data will be kept, or the criteria used to decide.
The right to correct or delete data, or restrict processing, and to object to it.
The right to complain to a supervisory authority.
If the data wasn't collected from the data subject, where it came from.
If automated decision-making or profiling is used, details about how it works and
its effects on the data subject.

2. If personal data is sent to another country or international organization, the

data subject has the right to know about the safeguards in place for the transfer
according to Article 46.

3. The controller must give the data subject a copy of their personal data being
processed. If the data subject asks for additional copies, the controller can
charge a reasonable fee based on administrative costs. If the data subject requests
the information electronically, it should be provided in a commonly used electronic
format, unless they ask for something different.

4. The right to get a copy of personal data should not harm the rights and freedoms
of others.