-
What's new
- All What's new
-
European
- What's new - All
- <hr>
- What's new - last 24 hrs
- What's new - last 7 days
- What's new - last 30 days
- <hr>
- New EU Legislation
- European Commission
- European Banking Authority
- European Securities and Markets Authority
- European Insurance and Occupational Pensions Authority
- <hr>
- Consultations and similar
- Commentaries
- <hr>
- Downloads and Exports
- Latest news by Topics
-
International
- What's new - All
- <hr>
- What's new - last 24 hrs
- What's new - last 7 days
- What's new - last 30 days
- <hr>
- Bank for International Settlements
- Basel Committee on Banking Supervision
- Egmont Group
- International Association of Insurance Supervisors
- International Monetary Fund
- <hr>
- Consultations and similar
- Commentaries
- <hr>
- Downloads and Exports
- Latest news by Topics
- Downloads and Exports
- Legislation
- Organisations
-
Commentaries
- Consultations
- Sanctioned regimes
- IFRSs
- Regulatory calendar
- Quicklinks
-
More
Table of Contents
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance)RecitalsChapter I General provisions (arts. 1-3)Article 1 Subject matter and objectivesArticle 2 ScopeArticle 3 DefinitionsChapter II General principles (arts. 4-13)Article 4 Principles relating to processing of personal dataArticle 5 Lawfulness of processingArticle 6 Processing for another compatible purposeArticle 7 Conditions for consentArticle 8 Conditions applicable to a child's consent in relation to information society servicesArticle 9 Transmissions of personal data to recipients established in the Union other than Union institutions and bodiesArticle 10 Processing of special categories of personal dataArticle 11 Processing of personal data relating to criminal convictions and offencesArticle 12 Processing which does not require identificationArticle 13 Safeguards relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposesChapter III Richts of the data subject (arts. 14-25)Section 1 Transparency and modalities (art. 14)Article 14 Transparent information, communication and modalities for the exercise of the rights of the data subjectSection 2 Information and access to personal data (arts. 15-17)Article 15 Information to be provided where personal data are collected from the data subjectArticle 16 Information to be provided where personal data have not been obtained from the data subjectArticle 17 Right of access by the data subjectSection 3 Rectification and erasure (arts. 18-22)Article 18 Right to rectificationArticle 19 Right to erasure ('right to be forgotten')Article 20 Right to restriction of processingArticle 21 Notification obligation regarding rectification or erasure of personal data or restriction of processingArticle 22 Right to data portabilitySection 4 Right to object and automated individual decision-making (arts. 23-24)Article 23 Right to objectArticle 24 Automated individual decision-making, including profilingSection 5 Restrictions (art. 25)Article 25 RestrictionsChapter IV Controller and processor (arts. 26-45)Section 1 General obligations (arts. 26-32)Article 26 Responsibility of the controllerArticle 27 Data protection by design and by defaultArticle 28 Joint controllersArticle 29 ProcessorArticle 30 Processing under the authority of the controller or processorArticle 31 Records of processing activitiesArticle 32 Cooperation with the European Data Protection SupervisorSection 2 Security of personal data (arts. 33-35)Article 33 Security of processingArticle 34 Notification of a personal data breach to the European Data Protection SupervisorArticle 35 Communication of a personal data breach to the data subjectSection 3 Confidentiality of electronic communications (arts. 36-38)Article 36 Confidentiality of electronic communicationsArticle 37 Protection of information transmitted to, stored in, related to, processed by and collected from users' terminal equipmentArticle 38 Directories of usersSection 4 Data protection impact assessment and prior consultation (arts. 39-40)Article 39 Data protection impact assessmentArticle 40 Prior consultationSection 5 Information and legislative consultation (arts. 41-42)Article 41 Information and consultationArticle 42 Legislative consultationSection 6 Data protection officer (arts. 43-45 and draft art. 45a)Article 43 Designation of the data protection officerArticle 44 Position of the data protection officerArticle 45 Tasks of the data protection officerDraft Article 45aChapter V Transfers of personal data to third countries or international organisations (arts. 46-51)Article 46 General principle for transfersArticle 47 Transfers on the basis of an adequacy decisionArticle 48 Transfers subject to appropriate safeguardsArticle 49 Transfers or disclosures not authorised by Union lawArticle 50 Derogations for specific situationsArticle 51 International cooperation for the protection of personal dataChapter VI European data protection supervisor (arts. 52-60)Article 52 European Data Protection SupervisorArticle 53 Appointment of the European Data Protection SupervisorArticle 54 Regulations and general conditions governing the performance of the European Data Protection Supervisor's duties, staff and financial resourcesArticle 55 IndependenceArticle 56 Professional secrecyArticle 57 TasksArticle 58 PowersArticle 59 Obligation of controllers and processors to react to allegationsArticle 60 Activities reportChapter VII Cooperation and consistency (arts. 61-62)Article 61 Cooperation between the European Data Protection Supervisor and national supervisory authoritiesArticle 62 Coordinated supervision by the European Data Protection Supervisor and national supervisory authoritiesChapter VIII Remedies, liability and penalties (arts. 63-69)Article 63 Right to lodge a complaint with the European Data Protection SupervisorArticle 64 Right to an effective judicial remedyArticle 65 Right to compensationArticle 66 Administrative finesArticle 67 Representation of data subjectsArticle 68 Complaints by Union staffArticle 69 SanctionsChapter IX Processing of operational personal data by union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU (arts. 70-95)Article 70 Scope of the ChapterArticle 71 Principles relating to processing of operational personal dataArticle 72 Lawfulness of processing of operational personal dataArticle 73 Distinction between different categories of data subjectsArticle 74 Distinction between operational personal data and verification of the quality of operational personal dataArticle 75 Specific processing conditionsArticle 76 Processing of special categories of operational personal dataArticle 77 Automated individual decision-making, including profilingArticle 78 Communication and modalities for exercising the rights of the data subjectArticle 79 Information to be made available or given to the data subjectArticle 80 Right of access by the data subjectArticle 81 Limitations to the right of accessArticle 82 Right to rectification or erasure of operational personal data and restriction of processingArticle 83 Right of access in criminal investigations and proceedingsArticle 84 Exercise of rights by the data subject and verification by the European Data Protection SupervisorArticle 85 Data protection by design and by defaultArticle 86 Joint controllersArticle 87 ProcessorArticle 88 LoggingArticle 89 Data protection impact assessmentArticle 90 Prior consultation of the European Data Protection SupervisorArticle 91 Security of processing of operational personal dataArticle 92 Notification of a personal data breach to the European Data Protection SupervisorArticle 93 Communication of a personal data breach to the data subjectArticle 94 Transfer of operational personal data to third countries and international organisationsArticle 95 Secrecy of judicial inquiries and criminal proceedingsChapter X Implementing Acts (art. 96)Article 96 Committee procedureChapter XI Review (art. 97-98)Article 97 Review clauseArticle 98 Review of Union legal actsChapter XII Final provisions (arts. 99-101)Article 99 Repeal of Regulation (EC) No 45/2001 and of Decision No 1247/2002/ECArticle 100 Transitional measuresArticle 101 Entry into force and applicationDone at
Page Overview
Tools
Text comparison
Print / Export
Notification
Bookmark
Share / Source link
AI Disclaimer
Please note that AI-generated content should not be considered legal advice. Users are encouraged to consult with qualified professionals or legal advisors where specific legal guidance is required.
We are committed to transparency and responsible use of AI in a way that supports, but never replaces, human expertise.
If you have any questions or concerns about the use of AI on our platform, please feel free to contact us.
Article 33 Security of processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.