Back to Introduction to European Data Protection

GDPR Overview and Structure

5 minutes 5 Questions

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that came into effect on May 25, 2018, replacing the 1995 Data Protection Directive (95/46/EC). It establishes a unified framework for protecting personal data across all EU member states and the…

GDPR Overview and Structure: A Comprehensive Guide for CIPP/E Exam Preparation

Why is GDPR Overview and Structure Important?

Understanding the overall structure and framework of the General Data Protection Regulation (GDPR) is foundational to mastering European data protection law. The GDPR is the most significant piece of data protection legislation globally, and it serves as the cornerstone of the CIPP/E certification. Without a solid grasp of how the GDPR is organized, its key principles, and its overarching purpose, it becomes extremely difficult to navigate the more granular topics that appear throughout the exam. This topic sets the stage for everything else you will study.

From a practical standpoint, professionals working in privacy and data protection must be able to quickly locate relevant provisions, understand how different articles interact with one another, and explain the regulation's purpose and scope to stakeholders. The GDPR's structure is deliberate and logical, and understanding it provides a mental map that accelerates your ability to interpret and apply the law.

What is the GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) is a comprehensive data protection law adopted by the European Union on April 27, 2016, and became enforceable on May 25, 2018. It replaced the earlier Data Protection Directive 95/46/EC. Unlike a directive, which requires member states to transpose its provisions into national law, the GDPR is a regulation, meaning it is directly applicable in all EU member states without the need for implementing legislation. However, the GDPR does contain certain provisions that allow or require member states to make specific national derogations or supplementary rules (known as opening clauses).

The GDPR was designed to:
- Harmonize data protection rules across the EU
- Strengthen and modernize the rights of individuals (data subjects)
- Impose greater accountability obligations on organizations that process personal data
- Address the challenges of the digital age, cross-border data flows, and emerging technologies
- Establish a consistent enforcement framework with significant penalties for non-compliance

The Structure of the GDPR

The GDPR is composed of two main parts: the Recitals and the Articles. Understanding both is essential.

1. Recitals (173 Recitals)

The recitals are the preamble to the GDPR. They appear before the operative articles and provide context, explanations, and interpretive guidance for the articles. While recitals are not legally binding in themselves, they are extremely important because they help clarify the intent and meaning behind specific provisions. Courts and supervisory authorities frequently reference recitals when interpreting the GDPR. For the exam, you should be aware that recitals provide the spirit of the law, while articles provide the letter of the law.

2. Articles (99 Articles across 11 Chapters)

The GDPR's articles are organized into 11 chapters, each addressing a distinct area of data protection. Here is a breakdown:

Chapter I – General Provisions (Articles 1–4)
This chapter sets the foundation. It covers the subject matter and objectives of the GDPR (Article 1), the material scope (Article 2), the territorial scope (Article 3), and definitions (Article 4). Article 3 is particularly important as it establishes the GDPR's extraterritorial reach, applying the regulation to organizations outside the EU that offer goods or services to individuals in the EU or monitor their behavior. Article 4 contains 26 definitions of key terms such as personal data, processing, controller, processor, consent, and personal data breach.

Chapter II – Principles (Articles 5–11)
This is one of the most critical chapters. Article 5 sets out the core principles relating to the processing of personal data: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Article 6 establishes the six lawful bases for processing: consent, contract, legal obligation, vital interests, public interest/official authority, and legitimate interests. Articles 7–11 address conditions for consent, conditions for processing children's data, processing of special categories of data, processing relating to criminal convictions, and processing that does not require identification.

Chapter III – Rights of the Data Subject (Articles 12–23)
This chapter details the rights that individuals have under the GDPR, including the right to transparent information (Articles 12–14), right of access (Article 15), right to rectification (Article 16), right to erasure or 'right to be forgotten' (Article 17), right to restriction of processing (Article 18), notification obligation regarding rectification, erasure, or restriction (Article 19), right to data portability (Article 20), right to object (Article 21), rights related to automated decision-making and profiling (Article 22), and restrictions on rights (Article 23).

Chapter IV – Controller and Processor (Articles 24–43)
This chapter addresses the obligations of data controllers and processors, including responsibilities of the controller (Article 24), data protection by design and by default (Article 25), joint controllers (Article 26), processor obligations (Articles 28–29), records of processing activities (Article 30), cooperation with supervisory authorities (Article 31), security of processing (Article 32), notification of data breaches (Articles 33–34), data protection impact assessments (Articles 35–36), the designation and role of the Data Protection Officer (Articles 37–39), codes of conduct (Articles 40–41), and certification mechanisms (Articles 42–43).

Chapter V – Transfers of Personal Data to Third Countries or International Organisations (Articles 44–50)
This chapter governs international data transfers. It establishes the general principle that transfers may only occur if the conditions of the chapter are met. Key mechanisms include adequacy decisions (Article 45), appropriate safeguards such as Standard Contractual Clauses and Binding Corporate Rules (Articles 46–47), and derogations for specific situations (Article 49).

Chapter VI – Independent Supervisory Authorities (Articles 51–59)
This chapter establishes the requirement for each member state to have one or more independent supervisory authorities (also known as Data Protection Authorities or DPAs) and outlines their competence, tasks, and powers, including investigative powers, corrective powers, and advisory powers.

Chapter VII – Cooperation and Consistency (Articles 60–76)
This chapter creates the one-stop-shop mechanism and the consistency mechanism. It defines the role of the lead supervisory authority for cross-border processing (Article 56), mutual assistance between authorities (Article 61), joint operations (Article 62), and the role and tasks of the European Data Protection Board (EDPB) (Articles 68–76).

Chapter VIII – Remedies, Liability and Penalties (Articles 77–84)
This chapter provides data subjects with the right to lodge a complaint with a supervisory authority (Article 77), the right to an effective judicial remedy against a supervisory authority (Article 78) or against a controller or processor (Article 79), rules on representation (Article 80), the right to compensation (Article 82), and the framework for administrative fines (Article 83), including the well-known two-tier penalty structure: up to €10 million or 2% of global annual turnover for certain violations, and up to €20 million or 4% of global annual turnover for more serious violations.

Chapter IX – Provisions Relating to Specific Processing Situations (Articles 85–91)
This chapter addresses special processing situations where member states may adopt specific rules, including processing and freedom of expression (Article 85), processing and public access to official documents (Article 86), processing of national identification numbers (Article 87), processing in the employment context (Article 88), safeguards for archiving, research, and statistics (Article 89), obligations of secrecy (Article 90), and data protection rules of churches and religious associations (Article 91).

Chapter X – Delegated Acts and Implementing Acts (Articles 92–93)
This short chapter addresses the European Commission's power to adopt delegated acts and implementing acts to supplement or implement the GDPR.

Chapter XI – Final Provisions (Articles 94–99)
This chapter covers transitional provisions, the repeal of Directive 95/46/EC, the relationship with other EU legal instruments, and the date of application.

How the GDPR Works in Practice

The GDPR operates on several key mechanisms:

Risk-Based Approach: The GDPR does not prescribe a one-size-fits-all approach. Instead, it requires organizations to assess the risks their processing activities pose to individuals' rights and freedoms and to implement appropriate measures accordingly. For example, a Data Protection Impact Assessment (DPIA) is required only when processing is likely to result in a high risk to individuals.

Accountability Principle: Under Article 5(2), the controller is responsible for and must be able to demonstrate compliance with the data protection principles. This is a significant shift from the previous directive, which was more focused on notification to authorities. Under the GDPR, controllers must proactively demonstrate their compliance through documentation, policies, training, DPIAs, and other measures.

Cooperation and Consistency: The GDPR establishes a cooperative framework among DPAs, particularly for cross-border processing. The lead supervisory authority mechanism ensures that organizations dealing with multiple EU member states have a single primary point of contact. The EDPB ensures consistency in the application of the GDPR across the EU.

Enforcement: DPAs have broad investigative and corrective powers. The two-tier fine structure provides a strong deterrent. Additionally, data subjects can seek judicial remedies and compensation for damages suffered as a result of GDPR violations.

Key Concepts to Remember for the Exam

- The GDPR is a regulation, not a directive – it is directly applicable across all EU member states.
- It contains 173 recitals and 99 articles organized into 11 chapters.
- Recitals provide interpretive guidance but are not legally binding; articles are the operative legal provisions.
- The GDPR has extraterritorial scope (Article 3) – it can apply to organizations outside the EU.
- There are opening clauses that allow member states to make certain national derogations.
- The accountability principle (Article 5(2)) is a cornerstone of the GDPR.
- There are six lawful bases for processing personal data (Article 6).
- The GDPR establishes a two-tier administrative fine structure (Article 83).
- The EDPB replaced the Article 29 Working Party and ensures consistency in GDPR application.
- The one-stop-shop mechanism applies to cross-border processing situations.

Exam Tips: Answering Questions on GDPR Overview and Structure

1. Know the Chapter Structure: Many exam questions test your ability to locate provisions within the GDPR. Familiarize yourself with which topics fall under which chapters. For example, if a question asks about international data transfers, you should immediately think of Chapter V (Articles 44–50). If it asks about DPA powers, think Chapter VI.

2. Distinguish Between Recitals and Articles: Be prepared for questions that test whether you understand the legal weight of recitals versus articles. Remember: recitals guide interpretation, but articles contain the binding legal obligations.

3. Understand the Nature of a Regulation vs. a Directive: This is a commonly tested concept. A regulation is directly applicable; a directive must be transposed into national law. The GDPR replaced the Data Protection Directive, but some questions may test why the EU chose a regulation over a directive (answer: to achieve greater harmonization).

4. Pay Attention to Opening Clauses: While the GDPR is directly applicable, member states have flexibility in certain areas through opening clauses. Common examples include the age of consent for children (Article 8 allows member states to lower the age from 16 to as low as 13), employment data processing (Article 88), and processing for journalistic purposes (Article 85). Expect questions that test your knowledge of where national variation is permitted.

5. Focus on Key Articles: Certain articles are tested more frequently: Article 3 (territorial scope), Article 4 (definitions), Article 5 (principles), Article 6 (lawful bases), Article 25 (data protection by design and by default), Article 30 (records of processing), Article 33 (breach notification to authorities), Article 35 (DPIAs), and Article 83 (administrative fines).

6. Use Process of Elimination: When facing multiple-choice questions, eliminate answers that confuse chapters or misattribute provisions. For instance, if an answer option places data subject rights under Chapter IV (which actually covers controller and processor obligations), you can eliminate it.

7. Remember Key Dates and Numbers: The GDPR was adopted on April 27, 2016, and became enforceable on May 25, 2018. It has 99 articles, 173 recitals, and 11 chapters. The maximum fines are €20 million or 4% of global annual turnover (whichever is higher) for the most serious violations.

8. Understand the Risk-Based Approach: Questions may ask about when certain obligations apply (e.g., when a DPIA is required). The answer often relates to the level of risk the processing poses to individuals. The GDPR is not a checklist – it requires proportionate responses based on risk assessment.

9. Read Questions Carefully: Some questions may test subtle distinctions, such as whether the GDPR applies to all processing of personal data (it does not – see the exemptions in Article 2, such as purely personal or household activities, and processing for national security purposes). Always read the full question and all answer options before selecting your response.

10. Connect Structure to Application: The exam doesn't just test memorization of the GDPR's structure. It tests your ability to apply that knowledge to practical scenarios. When you encounter a scenario-based question, first identify the relevant chapter and articles, then apply the specific provisions to the facts presented. This structured approach will help you arrive at the correct answer more efficiently and confidently.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Master European Data Privacy Law

CIPP/E practice on GDPR & European data privacy

GDPR Deep Dive: Lawful bases, data subject rights, DPIA, transfers, and enforcement
European Privacy Framework: EU institutions, Council of Europe, and cross-border data flows
Compliance & Enforcement: DPA authority, penalties, and recent enforcement actions
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More GDPR Overview and Structure questions

30 questions (total)

Start 30 question test