Data Intelligence for the World of Tomorrow
GDPR was written for a different era. We help you navigate the data landscape as it actually is — not as regulators imagined it would be.
The material within this site is provided for general guidance only and does not constitute legal, regulatory, or professional advice. Datari accepts no liability for any actions taken or not taken based on this content.
Explore the Site
GDPR Regulatory Intelligence
Why GDPR struggles with data that didn't exist when it was written
Articles & Thought Leadership
Leveraging & Monetising Data
Monetise your data without stepping on a regulatory landmine
DPIA Support
Run DPIAs that regulators actually respect
About Datari
Why data needs a new look
The Regulation
Know the basics.
GDPR Articles 1–99: Chapter-by-Chapter Reference Guide
The GDPR is organised into 11 Chapters containing 99 Articles. This guide lists every Article in order, with a short statement of each Article's purpose. Use the Chapter headings to navigate to the relevant section of the Regulation.
11
Chapters
Covering all areas of data protection law
99
Articles
Listed in full numerical order
2018
Year Applied
Became applicable 25 May 2018
Chapter I — General Provisions
Establishes the GDPR's subject matter, scope, territorial reach, and key definitions. These four Articles form the constitutional foundation of the entire Regulation.
Articles 1–4
General Provisions
Scope
Material & Territorial
Definitions
Core GDPR terminology
Chapter II — Principles
Sets the foundational principles and lawful bases that govern personal data processing. Every processing activity must be grounded in these Articles.
Lawfulness, Fairness & Transparency
Article 5 — the cornerstone principle underpinning all processing
Six Lawful Bases
Article 6 — consent, contract, legal obligation, vital interests, public task, legitimate interests
Special Category Data
Article 9 — health, biometric, racial, religious and other sensitive data require explicit justification
Chapter III — Rights of the Data Subject
Defines the rights individuals have over their personal data and how organisations must respond. Chapter III is divided into five Sections covering transparency, access, rectification, objection and restrictions.
Section 1 — Transparency and Modalities
Section 2 — Information and Access to Personal Data
Section 3 — Rectification and Erasure
Section 4 — Right to Object and Automated Decision-Making
Section 5 — Restrictions
Chapter IV — Controller and Processor
Sets out organisational responsibilities, accountability measures, security duties, breach notification rules, DPIAs, DPOs and conduct mechanisms. This is the most operationally detailed Chapter of the GDPR.
Section 1 — General Obligations
Section 2 — Security of Personal Data
Section 3 — Data Protection Impact Assessment and Prior Consultation
Section 4 — Data Protection Officer
Section 5 — Codes of Conduct and Certification
The accountability cycle under Chapter IV requires organisations to embed privacy at the design stage, maintain comprehensive records, implement robust security, and report breaches promptly — forming a continuous compliance loop.
Chapter V — Transfers of Personal Data to Third Countries or International Organisations
Regulates international transfers of personal data outside the EU/EEA or to international organisations. No transfer may take place unless one of the mechanisms in Articles 44–49 is satisfied.
Chapter VI — Independent Supervisory Authorities
Establishes the independence, powers and responsibilities of national data protection authorities. Each Member State must have at least one supervisory authority acting with full independence.
Section 1 — Independent Status
Section 2 — Competence, Tasks and Powers
Investigative Powers
Supervisory authorities may conduct audits, request information and access premises under Article 58.
Corrective Powers
Authorities may issue warnings, reprimands, bans on processing and administrative fines under Article 58.
Authorisation Powers
Authorities may approve codes of conduct, certifications and binding corporate rules under Article 58.
Chapter VII — Cooperation and Consistency
Creates cooperation mechanisms between supervisory authorities and the European Data Protection Board. This Chapter ensures the GDPR is applied consistently across all Member States.
Section 1 — Cooperation
Section 2 — Consistency
Section 3 — European Data Protection Board
Chapter VIII — Remedies, Liability and Penalties
Sets rights to complain, seek judicial remedies, claim compensation, and governs administrative fines and penalties. This Chapter gives the GDPR its enforcement teeth.
Tier 1 Fines — Article 83(4)
Up to €10 million or 2% of global annual turnover (whichever is higher) for infringements of obligations such as processor requirements, records, security and breach notification.
Tier 2 Fines — Article 83(5)
Up to €20 million or 4% of global annual turnover (whichever is higher) for infringements of core principles, data subject rights, and international transfer rules.
Chapters IX–XI — Specific Situations, Delegated Acts & Final Provisions
The final three Chapters address Member State flexibility for specific processing contexts, Commission powers to adopt delegated or implementing acts, and the transitional and closing provisions of the Regulation.
Chapter IX — Provisions Relating to Specific Processing Situations (Articles 85–91)
Allows Member States to adopt or maintain specific rules for particular processing contexts.
Chapter X — Delegated Acts and Implementing Acts (Articles 92–93)
Sets mechanisms for Commission powers to adopt delegated or implementing acts.
Chapter XI — Final Provisions (Articles 94–99)
Covers repeal, transitional arrangements, review, and entry into force and application.