GDPR — Regulation (EU) 2016/679¶
General Data Protection Regulation. The framework act of EU law on the protection of personal data; it remains fully applicable when an AI system processes personal data, as expressly confirmed by Article 2(7) of the AI Act.
Identifiers¶
| Field | Value |
|---|---|
| Official title | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
| CELEX | 32016R0679 |
| Consolidated CELEX | 02016R0679-20160504 |
| ELI | http://data.europa.eu/eli/reg/2016/679/oj |
| Publication | OJ L 119, 4.5.2016, p. 1 |
| Adoption | 27 April 2016 |
| Entry into force | 24 May 2016 |
| Application | 25 May 2018 |
| Legal basis | Article 16 TFEU |
| Type of act | Regulation — directly applicable in all Member States |
Structure¶
11 chapters · 99 articles · 173 recitals · no annexes.
| Chapter | Subject | Articles |
|---|---|---|
| I | General provisions | 1 – 4 |
| II | Principles | 5 – 11 |
| III | Rights of the data subject | 12 – 23 |
| IV | Controller and processor | 24 – 43 |
| V | Transfers of personal data to third countries or international organisations | 44 – 50 |
| VI | Independent supervisory authorities | 51 – 59 |
| VII | Cooperation and consistency | 60 – 76 |
| VIII | Remedies, liability and penalties | 77 – 84 |
| IX | Provisions relating to specific processing situations | 85 – 91 |
| X | Delegated acts and implementing acts | 92 – 93 |
| XI | Final provisions | 94 – 99 |
Scope of application¶
Material (Art. 2): applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Express exclusions: activities outside the scope of EU law; common foreign and security policy; purely personal or household activities; activities of competent authorities for criminal-law enforcement purposes (referred to Directive (EU) 2016/680).
Territorial (Art. 3): applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union; and to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects, or the monitoring of their behaviour as far as their behaviour takes place within the Union.
Cross-references with the AI Act¶
The AI Act (Regulation (EU) 2024/1689) is expressly designed without prejudice to the GDPR. The main textual points of intersection:
| AI Act | GDPR | Nature of the intersection |
|---|---|---|
| Art. 2(7) | Whole GDPR | Safeguard clause: the AI Act is without prejudice to the GDPR |
| Recital 10 | — | The AI Act recognises the GDPR (together with Reg. 2018/1725 and Dir. 2016/680) as the reference framework for personal data |
| Art. 3(37) | Art. 9(1) | Definition of "special categories of personal data" — definitional cross-reference |
| Art. 3(50) | Art. 4(1) | Definition of "personal data" — definitional cross-reference |
| Art. 3(52) | Art. 4(4) | Definition of "profiling" — definitional cross-reference |
| Art. 10(5) | Art. 9 | Possibility to process special categories of personal data for bias monitoring of high-risk AI systems, subject to the conditions of the GDPR |
| Art. 26(10) | Art. 22 | Automated decision-making: the deployer of a high-risk AI system must inform the data subject pursuant to Article 22 GDPR |
| Art. 27 | Art. 35 | Fundamental Rights Impact Assessment (FRIA) and Data Protection Impact Assessment (DPIA): coordination between the two impact assessments |
| Art. 59 | Whole GDPR | AI regulatory sandboxes: the processing of personal data within a sandbox remains subject to the GDPR |
The table covers direct cross-references of the AI Act to the GDPR. Broader operational cross-references (governance, competent authorities, penalties) require case-by-case analysis and will be addressed in dedicated insights in the Soft law and Resources sections.
Cross-references with the Data Governance Act¶
The Data Governance Act (DGA, Reg. (EU) 2022/868) operates without prejudice to the GDPR (Article 1(3) DGA): in case of conflict the GDPR prevails, and the DGA does not create a legal basis for the processing of personal data. The main textual and operational points of intersection:
| GDPR | DGA | Nature of the intersection |
|---|---|---|
| Whole GDPR | Art. 1(3); Recital 4 | Safeguard clause: the DGA is without prejudice to the GDPR; in case of conflict the GDPR prevails; the DGA does not create a legal basis for the processing of personal data |
| Art. 4(1) ('personal data') | DGA, Art. 2, point (3) | Definition: direct definitional cross-reference |
| Art. 4(1) ('data subject') | DGA, Art. 2, point (7) | Definition: direct definitional cross-reference |
| Art. 4(2) ('processing') | DGA, Art. 2, point (12) | Definition: direct definitional cross-reference to the GDPR (and to Reg. (EU) 2018/1807 for non-personal data) |
| Art. 4(11); Art. 7 (consent) | DGA, Art. 2, point (5); Art. 25 (European data altruism consent form) | Definitional cross-reference + operational application: altruistic consent (DGA Art. 25) is subject to all GDPR conditions for valid consent (freely given, specific, informed, withdrawable) |
| Arts. 5, 6, 9; Art. 25 (privacy by design) | DGA, Chapter II — Arts. 3-9; Art. 5(3)-(13) | Re-use of protected public data including personal data: DGA conditions (anonymisation, secure environment, confidentiality agreements, prohibition of re-identification) accumulate with the GDPR legal basis and principles |
| Arts. 7, 12-22 (consent, data subject rights) | DGA, Chapter III — Arts. 10-15; Art. 12 (conditions of provision) | Data intermediation services involving personal data: operate in the interest of the data subject, structural separation from the data user, neutrality with regard to the data intermediated, prohibition on monetisation |
| Arts. 6, 7, 9; Art. 13 | DGA, Chapter IV — Arts. 16-25 (altruism); Art. 25 | Data altruism: consent to processing for altruistic purposes is collected through the European data altruism consent form (Commission implementing act) and is subject to all GDPR conditions |
The table covers direct cross-references. Broader operational cross-references (relations with the DSA, Cyber Resilience Act, NIS2 and the Product Liability Directive) will be the subject of dedicated analyses in the Soft law and Resources sections as the corresponding pages are published.
Amendments and corrigenda¶
The original 2016 text has been the subject of three corrigenda published in the Official Journal of the EU. The EUR-Lex consolidated version used in this section (02016R0679-20160504) integrates all corrigenda issued as of 4.5.2016. Further corrigenda subsequently published (OJ L 127, 23.5.2018; OJ L 074, 4.3.2021) are incorporated in subsequent revisions of the consolidated text.
Application status¶
The GDPR is fully applicable since 25 May 2018 in all Member States of the European Union, without need for national implementing acts (being a regulation). In Italy the application framework is completed by Legislative Decree 196/2003 (Personal Data Protection Code), reformed by Legislative Decree 101/2018 to align it with the GDPR.
Related glossary terms¶
Entries from the AI-centric glossary relevant to this act:
- Personal data
- Non-personal data
- Special categories of personal data
- Profiling
- Anonymisation
- Pseudonymisation
- Controller
- Processor
- Data subject
- Data Protection Impact Assessment (DPIA)
Official sources¶
- EUR-Lex — original Italian version (CELEX 32016R0679)
- EUR-Lex — consolidated Italian version
- EUR-Lex — original English version
- EUR-Lex — European Legislation Identifier (ELI)
- Italian Data Protection Authority (Garante) — GDPR section
- European Data Protection Board (EDPB)
Section index¶
- Recitals — full text of the 173 recitals in bilingual version
- Text of the regulation — all articles organised by chapter:
- Chapter I — General provisions (Arts. 1-4)
- Chapter II — Principles (Arts. 5-11)
- Chapter III — Rights of the data subject (Arts. 12-23)
- Chapter IV — Controller and processor (Arts. 24-43)
- Chapter V — Transfers of personal data to third countries or international organisations (Arts. 44-50)
- Chapter VI — Independent supervisory authorities (Arts. 51-59)
- Chapter VII — Cooperation and consistency (Arts. 60-76)
- Chapter VIII — Remedies, liability and penalties (Arts. 77-84)
- Chapter IX — Provisions relating to specific processing situations (Arts. 85-91)
- Chapter X — Delegated acts and implementing acts (Arts. 92-93)
- Chapter XI — Final provisions (Arts. 94-99)