GDPR Key Articles Explained

Article 5 establishes the foundational principles that govern all personal data processing under the GDPR. These principles are lawfulness, fairness, and transparency (data must be processed lawfully and in a transparent manner), purpose limitation (data must be collected for specified, explicit, and legitimate purposes), data minimization (data collected must be adequate, relevant, and limited to what is necessary), accuracy (data must be kept accurate and up to date), storage limitation (data must not be kept longer than necessary), and integrity and confidentiality (data must be processed with appropriate security).

The accountability principle in Article 5(2) requires controllers not only to comply with these principles but to be able to demonstrate compliance. This means maintaining records of processing activities, conducting impact assessments where required, implementing appropriate technical and organizational measures, and documenting the rationale behind processing decisions.

These principles should inform every aspect of your data processing operations. DiscoverIQ helps operationalize the data minimization and storage limitation principles by identifying unnecessary data holdings, while ClassifyIQ supports accuracy by identifying data categories and ensuring appropriate handling. RetainIQ automates retention policy enforcement to ensure data is not kept longer than necessary.

Article 6 defines six lawful bases that organizations can rely on to process personal data. Consent requires a freely given, specific, informed, and unambiguous indication of the data subject's wishes. Contractual necessity permits processing needed to perform or enter into a contract with the data subject. Legal obligation allows processing required to comply with EU or member state law. Vital interests covers processing necessary to protect someone's life. Public task applies to processing necessary for official authority or public interest tasks. Legitimate interests permits processing for the legitimate interests of the controller or a third party, balanced against the data subject's rights.

Choosing the correct lawful basis is a critical compliance decision because it determines which data subject rights apply and what information must be included in privacy notices. For example, data subjects have a stronger right to erasure when processing is based on consent, and the right to data portability only applies to consent or contractual necessity. Organizations should document their lawful basis determination for each processing activity before processing begins.

For most commercial organizations, consent and legitimate interests are the most frequently used bases. ConsentIQ provides granular consent management that meets the GDPR's strict consent requirements, including purpose-specific consent collection, clear withdrawal mechanisms, and comprehensive consent records that demonstrate compliance during audits.

Articles 13 and 14 specify the information that must be provided to data subjects when their personal data is collected. Article 13 applies when data is collected directly from the data subject, while Article 14 applies when data is obtained from other sources. Both require disclosure of the controller's identity and contact details, the DPO's contact details, the purposes and lawful basis for processing, recipients of the data, and data subject rights.

Article 13 additionally requires disclosure at the time of collection, information about any transfers to third countries and the safeguards in place, and the retention period or criteria for determining it. Article 14 requires disclosure within a reasonable period (no later than one month) after obtaining the data, or at the time of first communication with the data subject, and must also specify the source of the personal data.

The information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Layered privacy notices — with a short-form summary linking to a detailed notice — have become a common approach to balancing comprehensiveness with readability. ComplyIQ provides privacy notice templates that ensure all required disclosures are included and properly formatted.

The GDPR grants data subjects a comprehensive set of rights. Article 15 provides the right of access, allowing individuals to obtain confirmation of processing and a copy of their data. Article 16 grants the right to rectification of inaccurate data. Article 17 establishes the right to erasure (right to be forgotten) in specific circumstances. Article 18 provides the right to restriction of processing. Article 20 establishes the right to data portability in a structured, commonly used format. Article 21 grants the right to object to processing based on legitimate interests or public task. Article 22 provides rights related to automated individual decision-making, including profiling.

Organizations must respond to data subject requests without undue delay and within one month of receipt. This can be extended by two further months for complex or numerous requests, but the data subject must be informed of the extension within the initial month. Requests can only be refused if the organization can demonstrate that the request is manifestly unfounded or excessive.

SearchIQ enables organizations to fulfill these rights efficiently by locating personal data across all connected data systems, aggregating it for access requests, identifying it for erasure requests, and exporting it in portable formats. The platform's automated workflows ensure that response deadlines are tracked and met consistently.

Article 25 requires controllers to implement appropriate technical and organizational measures designed to implement data protection principles and integrate necessary safeguards into processing. This obligation applies both at the time of determining the means for processing and at the time of processing itself. It means that data protection must be considered from the earliest design stage of any system, product, or service that processes personal data.

Data protection by default requires that, by default, only personal data necessary for each specific processing purpose is collected, processed, stored, and made accessible. This includes limiting the amount of data collected, the extent of processing, the period of storage, and accessibility. For example, a user registration form should only request information necessary for the account, not additional data fields that might be useful in the future.

Implementing privacy by design requires collaboration between privacy, legal, engineering, and product teams. Establish privacy reviews as a standard part of the product development lifecycle, conduct threat modeling for data processing activities, and use privacy-enhancing technologies such as pseudonymization and encryption by default. ProtectIQ provides data masking and encryption capabilities that can be integrated into development pipelines to enforce data protection by default.

Article 35 requires controllers to conduct a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to the rights and freedoms of natural persons. DPIAs are mandatory for systematic and extensive evaluation of personal aspects (profiling), large-scale processing of special categories of data or criminal conviction data, and systematic monitoring of a publicly accessible area on a large scale. Supervisory authorities also publish lists of processing operations that require DPIAs.

A DPIA must contain a systematic description of the processing operations and their purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to data subjects' rights and freedoms, and the measures envisaged to address those risks. If the DPIA indicates that processing would result in a high risk that cannot be mitigated, the controller must consult with the supervisory authority before proceeding.

ComplyIQ provides DPIA templates and workflow automation that guide organizations through the assessment process. The platform integrates with DiscoverIQ to pull in data mapping information and with ClassifyIQ to identify the categories and sensitivity of data involved, creating a comprehensive and accurate impact assessment.

Article 37 requires the appointment of a Data Protection Officer (DPO) when the processing is carried out by a public authority or body, when the core activities of the controller or processor consist of operations requiring regular and systematic monitoring of data subjects on a large scale, or when the core activities consist of large-scale processing of special categories of data or criminal conviction data.

The DPO must have expert knowledge of data protection law and practices, must be provided with the necessary resources, must not receive instructions regarding the exercise of their tasks, and must report directly to the highest management level. The DPO can be a staff member or an external service provider, and a group of undertakings may appoint a single DPO provided they are easily accessible from each establishment.

Even when a DPO appointment is not legally required, many organizations choose to appoint one as a best practice to coordinate compliance activities and serve as a privacy advocate within the organization. The DPO role is instrumental in maintaining and improving the organization's compliance posture, and the availability of tools like ComplyIQ reduces the administrative burden on the DPO, allowing them to focus on strategic privacy governance.

Chapter V of the GDPR (Articles 44-49) restricts the transfer of personal data to countries outside the European Economic Area unless adequate protections are in place. Article 45 permits transfers to countries that the European Commission has determined provide an adequate level of data protection. Article 46 allows transfers subject to appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved codes of conduct and certification mechanisms.

Following the Schrems II decision, organizations relying on SCCs must conduct a Transfer Impact Assessment (TIA) to evaluate whether the legal framework in the destination country provides essentially equivalent protection. If the assessment reveals gaps, supplementary measures such as encryption, pseudonymization, or contractual commitments must be implemented to bridge the gap.

Article 49 provides derogations for specific situations including explicit consent (after being informed of the risks), contractual necessity, important reasons of public interest, legal claims, and vital interests. These derogations should be used as exceptions rather than the primary basis for regular transfers. Organizations with regular cross-border data flows should invest in establishing robust transfer mechanisms under Articles 45 or 46.

Article 83 establishes a two-tier penalty structure for GDPR violations. Lower-tier violations, including failures to maintain records, failure to appoint a DPO when required, and inadequate security measures, can result in fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Upper-tier violations, including unlawful processing, failure to obtain valid consent, and violations of data subject rights, can result in fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

Fines are determined based on factors including the nature, gravity, and duration of the infringement, whether the infringement was intentional or negligent, actions taken to mitigate damage, degree of responsibility considering technical and organizational measures, any relevant previous infringements, the degree of cooperation with the supervisory authority, and the categories of personal data affected.

Since the GDPR came into effect, supervisory authorities across the EU have imposed billions of euros in fines, with notable penalties against major technology companies, financial institutions, and telecommunications providers. These enforcement actions underscore the importance of comprehensive compliance programs. ComplyIQ helps organizations maintain the documentation and demonstrate the accountability that may reduce penalties in the event of a compliance shortfall.