GDPR Recitals: your essential partners to understand and apply the GDPR

Preparing for compliance with the General Data Protection Regulation (GDPR) is not a walk in the park, nor is understanding the GDPR Articles in the final GDPR text. As we’ll see there are many ways to make it easier. The GDPR Recitals which we tackle and list here are key in that regard.

GDPROne of many reasons why GDPR Recitals are essential (we’ll see more below) is that in watching over the consistency of the application and enforcement of the GDPR, supervisory authorities, the European Data Protection Board (formerly Article 29 Working Party) and others use these GDPR Recitals in the interpretation of the GDPR Articles. Moreover GDPR Recitals are used by the Court of Justice of the European Union to decide on the meaning and application of law such as the GDPR in the cases they need to judge on. It’s obvious that when jurisprudence increases as of May 2018, GDPR Recitals will be used in these cases as well which will set precedents with regards to the GDPR.

That’s why, just as we did with all the GDPR Articles in the final text we also list GDPR Recitals in this text.

GDPR Recitals in the scope of the practical application of the GDPR

To understand the GDPR and its practical consequences for your business, as a data controller and as a data processor, it’s important to know more than essential basics such as data subject rights, what personal data and data subjects are under the GDPR, the legal grounds for lawful processing and so forth.

Usually a strategic GDPR information management, security, GDPR awareness and overall GDPR compliance plan looks at the various data subject risks, the current and future data processing operations and the organizational changes which are needed after having conducted a gap analysis. Moreover, you need to know whom to notify in case of a personal data breach, when to ask for an additional control such as a Data Protection Impact Assessment and how these additional assessments help you in demonstrating GDPR compliance (a must for the data controller) just as adhering to a code of conduct does. All this is typically done by a team and external GDPR experts.

Everyone tells you that the General Data Protection Regulation is complex and many things need to be taken into account, depending on your organization’s context, customers and suppliers (whereby as a controller you are responsible with which data processing suppliers you work). And they are right. There are many things that apply to what you might do and others don’t. If you, for instance, plan an IoT application whereby personal data are used, special checks apply.

In order to get GDPR compliant it’s important to:

  • Work with knowledgeable partners
  • Check the mentioned guidelines by the European Data Protection Board (EDPB) and supervisory authorities
  • Understand what the 99 GDPR Articles in the final text of the GDPR mean
  • Start as soon as possible as the real questions pop up when you start preparing in practice

The guidelines from several instances serve as an essential basis in the application of the GDPR. The same goes for trustworthy advice from data protection and privacy bodies and associations or experts such as the IAPP (International Association of Privacy Professionals) of which we’re a member. Many of the mentioned parties also offer GDPR trainings, including preparation courses in case you would consider a career as a DPO (Data Protection Officer).

What does all this have to do with those GDPR Recitals? The GDPR Recitals are part of the GDPR text. However, these GDPR Recitals are also instrumental in understanding the why, the how and often even the rationale behind several GDPR Articles.

In many cases they overlap with GDPR Articles but they also contain the necessary additional context within which to interprete the Articles. And, as mentioned, that’s also what supervisory authorities, the EDPB and courts will do.

Searchable list of the GDPR Recitals

We started listing the GDPR Recitals below with a link to each one. The search form helps you find the GDPR Recital for the keywords you use.

Do note that GDPR Recitals are numbered. It’s a flowing text whereby each Recital gets a number. For your convenience we added a small, non-official, title for them. Start your search for a GDPR Recital.

GDPR Recital Search tips:
  • Use quotation marks to find all GDPR Recitals containing an exact combination of words in the text. E.g. “data protection officer”.
  • To see all GDPR Recitals again after a query, empty the search field and enter the find button.

  • GDPR Recital 1 – Personal data protection as a fundamental right
  • GDPR Recital 2 – Personal data processing and fundamental rights and freedoms
  • GDPR Recital 3 – Harmonisation Directive 95/46/EC
  • GDPR Recital 4 – Personal data protection and other rights – proportionality
  • GDPR Recital 5 – Cross-border flows of personal data – data exchange between Member States
  • GDPR Recital 6 – Technology, globalisation, increased personal data sharing and new protection challenges
  • GDPR Recital 7 – Trust and control over own data
  • GDPR Recital 8 – Incorporation into national law
  • GDPR Recital 9 – Rationale for a replacement of Directive 95/46/EC
  • GDPR Recital 10 – Consistent application and margins of manoeuvre for member states
  • GDPR Recital 11 – Harmonisation of powers for monitoring, GDPR compliance enforcement and sanctions
  • GDPR Recital 12 – GDPR mandate of the European Parliament and Council
  • GDPR Recital 13 – Derogation regarding record-keeping and needs of organizations with less than 250 employees (micro, small and medium-sized enterprises)
  • GDPR Recital 14 – GDPR applies to natural persons, not legal persons
  • GDPR Recital 15 – Technological neutrality: automated and manual processing, filing systems and file (set) structure
  • GDPR Recital 16 – GDPR application exceptions: national and foreign security
  • GDPR Recital 17 – Adaptations of Regulation (EC) No 45/2001 in line with GDPR
  • GDPR Recital 18 – GDPR application exceptions: purely personal or household activity
  • GDPR Recital 19 – GDPR application exceptions: criminal offences and criminal penalties
  • GDPR Recital 20 – Judiciary independence: competence of supervisory authorities in covering processing of personal data when courts act in their judicial capacity
  • GDPR Recital 21 – Liability rules of intermediary service providers
  • GDPR Recital 22 – Territorial application: processing by establishment independent of place of processing
  • GDPR Recital 23 – GDPR territorial application: controller or a processor offering goods or services not established in the Union
  • GDPR Recital 24 – GDPR territorial application: monitoring behaviour by controller or processor not established in the Union
  • Recital 25 – GDPR territorial application: EU Member State diplomatic mission or consular post
  • GDPR Recital 26 – GDPR data protection application: identifiable natural person, pseudonymisation, anonymous information
  • GDPR Recital 27 – GDPR application: deceased persons
  • GDPR Recital 28 – Application of pseudonymisation to personal data under the GDPR
  • GDPR Recital 29 – Pseudonymisation within the same controller
  • GDPR Recital 30 – GDPR online identifiers and combination of online and unique identifiers
  • GDPR Recital 31 – Personal data processing by public authorities in accordance with legal obligations
  • GDPR Recital 32 – GDPR and consent – consent indication, consent affirmation and consent purpose scope
  • GDPR Recital 33 – Consent and personal data processing for scientific research under the GDPR
  • GDPR Recital 34 – Genetic data as personal data under the GDPR
  • GDPR Recital 35 – Personal data and health data under the GDPR
  • GDPR Recital 36 – GDPR- Main establishment of controller in the EU
  • GDPR Recital 37 – GDPR and a group of undertakings
  • GDPR Recital 38 – Specific protection of personal data of children under the GDPR
  • GDPR Recital 39 – Lawfulness, fairness, transparency and purpose of personal data processing
  • GDPR Recital 40 – Consent and other grounds for lawful personal data processing
  • GDPR Recital 41 – Legal basis and legislative measures
  • GDPR Recital 42 – The ability of the controller to demonstrate the data subject has given consent
  • GDPR Recital 43 – Freely given and not freely given consent
  • GDPR Recital 44 – Lawful processing in the scope of a contract
  • GDPR Recital 45 – Processing in accordance with legal obligations
  • GDPR Recital 46 – Processing and vital natural person interests
  • GDPR Recital 47 – Overriding legitimate interests
  • GDPR Recital 48 – Overriding legitimate interest group of undertakings or institutions affiliated to a central body
  • GDPR Recital 49 – Ensuring network and information security a legitimate controller interest
  • GDPR Recital 50 – Processing of data for non-initial purposes
  • GDPR Recital 51 – Prohibition processing of sensitive and special personal data categories
  • GDPR Recital 52 – Exceptions from the prohibition on processing special categories of personal data
  • GDPR Recital 53 – Special categories of personal data and health-related purposes
  • GDPR Recital 54 – special personal data categories and public health
  • GDPR Recital 55 – Public interest and recognized religious associations
  • GDPR Recital 56 – Public interest, political parties and elections
  • GDPR Recital 57 – Data provided by data subject in exercising his rights
  • GDPR Recital 58 – The principle of transparency and ‘ease’
  • GDPR Recital 59 – Mechanisms to facilitate the exercise of data subject rights
  • GDPR Recital 60 – Information duties towards data subjects
  • GDPR Recital 61 – Time of information provision towards data subject
  • GDPR Recital 62 – Exceptions to information duties
  • GDPR Recital 63 – Right of access to personal data
  • GDPR Recital 64 – Identity verification duty in case of access request
  • GDPR Recital 65 – Rights of correction and erasure of personal data
  • GDPR Recital 66 – Erasure and publicly available personal data
  • GDPR Recital 67 – Methods of processing restriction
  • GDPR Recital 68 – Data subject control: interoperability and portability
  • GDPR Recital 69 – Data subject right to object
  • GDPR Recital 70 – Right to object and direct marketing
  • GDPR Recital 71 – Automated processing and profiling
  • GDPR Recital 72 – European Data Protection Board role in profiling
  • GDPR Recital 73 – Restrictions concerning specific principles and data subject rights
  • GDPR Recital 74 – Responsibility and liability of the controller
  • GDPR Recital 75 – Risks to the rights and freedoms of natural persons
  • GDPR Recital 76 – Assessing risks to rights and freedoms
  • GDPR Recital 77 – Guidelines regarding risk identification and assessment
  • GDPR Recital 78 – Compliance and appropriate technical and organisational measures
  • GDPR Recital 79 – Allocation responsibilities controllers and processors
  • GDPR Recital 80 – Representatives for controllers and processors outside EU
  • GDPR Recital 81 – Controller duty to select compliant processors
  • GDPR Recital 82 – Compliance and records of processing activities
  • GDPR Recital 83 – Encryption and measures for security of processing
  • GDPR Recital 84 – Data impact assessments and prior consultation
  • GDPR Recital 85 – Notifying data breach towards supervisory authority
  • GDPR Recital 86 – Data breach communication towards data subject
  • GDPR Recital 87 – Measures for prompt notification of data breach
  • GDPR Recital 88 – Considerations breach notification format and procedures
  • GDPR Recital 89 – General notification obligations abolishment
  • GDPR Recital 90 – Data protection impact assessment (DPIA)
  • GDPR Recital 91 – Data protection impact assessment necessity
  • GDPR Recital 92 – DPIA broader than a single project
  • GDPR Recital 93 – DPIAs at authorities
  • GDPR Recital 94 – Consulting supervisory authority prior to processing
  • GDPR Recital 95 – Processor support in case of DPIA and/or prior consultation
  • GDPR Recital 96 – Supervisory consultation in preparation of legislative measure
  • GDPR Recital 97 – Introducing the data protection officer
  • GDPR Recital 98 – Codes of conduct
  • GDPR Recital 99 – Consultations when drawing up a code of conduct
  • GDPR Recital 100 – Encouragement of certification mechanisms
  • GDPR Recital 101 – International data transfer flows
  • GDPR Recital 102 – Existing international agreements
  • GDPR Recital 103 – Adequate level of data protection EC international transfers
  • GDPR Recital 104 – Criteria assessment adequacy decision
  • GDPR Recital 105 – Consideration international obligations adequacy decision
  • GDPR Recital 106 – Monitoring and review adequacy data protection
  • GDPR Recital 107 – Suspension of adequacy decisions and solving suspensions
  • GDPR Recital 108 – Appropriate safeguards for the data subject in absence of adequacy decision
  • GDPR Recital 109: Standard Contractual Clauses (SCCs)
  • GDPR Recital 110: Binding Corporate Rules (BCCs)
  • GDPR Recital 111 – Exceptions cross-border data transfers
  • GDPR Recital 112: Cross-border personal data transfer for reasons of public interest
  • GDPR Recital 113: Non-repetitive transfers concerning a limited number of data subjects
  • GDPR Recital 114: Enforceable and effective data subject rights in case of no adequacy decision
  • GDPR Recital 115: Third country laws, regulations and legal acts
  • GDPR Recital 116: Cooperation data protection supervisory authorities in relation with international counterparts
  • GDPR Recital 117: Establishment of supervisory authorities in EU Member States
  • GDPR Recital 118: Independence of and control or monitoring mechanisms regarding supervisory authorities
  • GDPR Recital 119: Consistency in case of several supervisory authorities per Member State
  • GDPR Recital 120: Budget and resources for each supervisory authority
  • GDPR Recital 121: General conditions for members of the supervisory authority
  • GDPR Recital 122: Territorial and material competence of supervisory authorities
  • GDPR Recital 123: Consistency monitoring role of supervisory authorities and cooperation
  • GDPR Recital 124: Lead supervisory authority and establishement of controller/processor
  • GDPR Recital 125: Lead supervisory authority and decision making
  • GDPR Recital 126: Joint decisions lead authority and other supervisory authorities
  • GDPR Recital 127: Competence, information duty and one-stop-mechanism
  • GDPR Recital 128: Exceptions regarding rules on the lead supervisory authority and the one-stop-shop mechanism
  • GDPR Recital 129: Tasks and powers of supervisory authorities
  • GDPR Recital 130: Cooperation lead supervisory authority and supervisory authority where complaint is lodged
  • GDPR Recital 131: Seeking an amicable settlement