In one sentence. This index is a navigable map of the 99 articles of the General Data Protection Regulation (Regulation (EU) 2016/679), organised by topic, with links to dedicated practical guides on each major provision. Use it as the starting point when you need to understand a specific GDPR Article in operational terms — what it requires, how it’s enforced, and how to comply.
The GDPR has 99 articles across 11 chapters. Most compliance work touches the same 30-40 articles repeatedly. This index groups them by topic and links to the deep-dive guides we’ve published on each. New guides are added regularly.
For the broader compliance framework, see data privacy compliance guide. For the audit framework that maps to these articles, GDPR audit methodology 2026.
Chapter I — General Provisions (Articles 1-4)
| Article | Topic | Guide |
|---|---|---|
| 1 | Subject matter and objectives | — |
| 2 | Material scope | — |
| 3 | Territorial scope | Does GDPR apply outside the EU? |
| 4 | Definitions | — |
Chapter II — Principles (Articles 5-11)
| Article | Topic | Guide |
|---|---|---|
| 5(1) | Principles relating to processing | The 7 data privacy principles |
| 5(1)(a) | Lawfulness, fairness, transparency | — |
| 5(1)(b) | Purpose limitation | GDPR purpose limitation principle |
| 5(1)© | Data minimisation | Data minimisation under GDPR |
| 5(1)(d) | Accuracy | GDPR accuracy principle |
| 5(1)(e) | Storage limitation | GDPR storage limitation principle |
| 5(1)(f) | Integrity, confidentiality | Article 32 security of processing |
| 5(2) | Accountability | Principle of accountability under GDPR |
| 6 | Lawfulness of processing — 6 lawful bases | GDPR Article 6 lawful basis |
| 7 | Conditions for consent | GDPR Article 7 consent conditions |
| 9 | Special categories of data | GDPR Article 9 special categories |
| 10 | Data on criminal convictions | — |
Chapter III — Rights of the Data Subject (Articles 12-23)
| Article | Topic | Guide |
|---|---|---|
| 12 | Modalities — transparency, response time | GDPR Article 12 transparency |
| 13 | Information when data collected from subject | GDPR Article 13 information notice |
| 14 | Information when data from third party | GDPR Article 14 third-party data |
| 15 | Right of access | Right of access GDPR |
| 16 | Right to rectification | — |
| 17 | Right to erasure (“right to be forgotten”) | Right to erasure GDPR |
| 18 | Right to restriction of processing | GDPR Article 18 restriction |
| 19 | Notification obligation regarding rectification, erasure, restriction | — |
| 20 | Right to data portability | Right to data portability GDPR Art. 20 |
| 21 | Right to object | GDPR Article 21 right to object |
| 22 | Automated decision-making and profiling | GDPR Article 22 automated decisions |
| 23 | Restrictions (Member State derogations) | — |
Chapter IV — Controller and Processor (Articles 24-43)
| Article | Topic | Guide |
|---|---|---|
| 24 | Responsibility of the controller | — |
| 25 | Data protection by design and by default | GDPR Article 25 privacy by design |
| 26 | Joint controllers | Article 28 vs Article 26 RGPD |
| 27 | Representatives of non-EU controllers | — |
| 28 | Processor (sub-processor obligations) | Article 28 GDPR sub-processor, Modèle DPA Art. 28 (FR) |
| 29 | Processing under authority | — |
| 30 | Records of processing activities (ROPA) | ROPA template Art. 30 |
| 31 | Cooperation with the supervisory authority | — |
| 32 | Security of processing | GDPR Article 32 security |
| 33 | Notification of personal data breach to DPA | Article 33 RGPD breach notification |
| 34 | Communication of breach to data subject | GDPR Article 34 breach communication |
| 35 | Data Protection Impact Assessment (DPIA) | Article 35 RGPD AIPD |
| 36 | Prior consultation with supervisory authority | — |
| 37 | Designation of the DPO | GDPR DPO designation |
| 38 | Position of the DPO | GDPR DPO position |
| 39 | Tasks of the DPO | GDPR DPO tasks |
| 40-43 | Codes of conduct, certification | — |
Chapter V — Transfers to Third Countries (Articles 44-50)
| Article | Topic | Guide |
|---|---|---|
| 44 | General principle for transfers | GDPR cross-border data transfers |
| 45 | Adequacy decisions | Transferts vers la Suisse — adéquation 2024 (FR) |
| 46(2)© | Standard Contractual Clauses (SCCs) | Standard Contractual Clauses (SCCs) guide |
| 46(2)(b) | Binding Corporate Rules (BCRs) | BCR vs SCC vs DPF |
| 46 + Schrems II | Transfer Impact Assessment (TIA) | Transfer Impact Assessment (TIA) guide |
| 49 | Derogations for specific situations | — |
Chapter VI — Supervisory Authorities (Articles 51-59)
| Article | Topic | Guide |
|---|---|---|
| 51-59 | National DPAs (CNIL, BfDI, AEPD, etc.) | Supervisory authority GDPR, PFPDT (Switzerland) |
| 58 | Powers of investigation | Contrôle CNIL : comment se préparer (FR) |
Chapter VII — Cooperation and Consistency (Articles 60-76)
| Article | Topic | Guide |
|---|---|---|
| 60-67 | Cooperation, consistency mechanism | European Data Protection Board (EDPB) |
| 68-76 | EDPB structure and decisions | European Data Protection Board (EDPB) |
Chapter VIII — Remedies, Liability, Penalties (Articles 77-84)
| Article | Topic | Guide |
|---|---|---|
| 77 | Right to lodge complaint with DPA | — |
| 82 | Right to compensation | — |
| 83 | Administrative fines (up to 4% of turnover) | GDPR fines |
| 84 | Member State penalties | — |
Chapter IX — Specific Situations (Articles 85-91)
Articles 85-91 cover specific contexts: freedom of expression and information, public access to documents, national identification numbers, employment context, archiving and research, secrecy obligations, churches and religious associations.
Chapter X-XI — Delegated Acts and Final Provisions (Articles 92-99)
Procedural — entry into force, repeal of Directive 95/46, transitional provisions.
Cross-cutting topics
Some compliance work spans multiple articles:
| Topic | Spanning articles | Guide |
|---|---|---|
| Lawful basis selection | 6, 7, 9 | GDPR Article 6 lawful basis |
| Data subject rights | 12-23 | Right of access, erasure, portability, object |
| Vendor management | 28, 30, 32, 33 | Modèle DPA (FR), vendor audit checklist (FR) |
| International transfers | 44-50 + Schrems II | SCCs guide, TIA guide, BCR vs SCC vs DPF |
| DPO function | 37-39 | DPO tasks, DPO designation, job description template |
| Breach response | 32, 33, 34 | Article 33 (FR), Article 32 security, Article 34 communication |
How to use this index
- For compliance work: navigate to the article you’re handling, read the dedicated guide, apply the practical patterns.
- For audit preparation: use the index to verify your processing maps to the right articles.
- For training: each guide doubles as a self-paced training module on its article.
- For DPO functions: bookmark and use as reference during day-to-day work.
For the broader compliance framework: data privacy compliance guide. For the operational tooling that automates ROPA, DPA audits, DPIA generation, and DSR workflow: Legiscope.
Coming next
We’re publishing dedicated guides for the remaining articles by topic priority. Subscribe to the Legiscope newsletter for new guide releases.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
