← Frameworks / Privacy Regulation

EU General Data Protection Regulation (2016/679)

The EU's comprehensive data protection and privacy regulation. Establishes principles for lawful processing, data subject rights, controller and processor obligations, breach notification (72 hours), data protection by design and by default, and cross-border transfer safeguards. Applies to any organisation processing personal data of EU residents.

Clauses: 95

Avg Coverage: 36.7%

Publisher: European Union Version: 2016/679

EU GDPR → SP 800-53 SP 800-53 → EU GDPR Coverage Analysis

Clause	Title	SP 800-53 Controls
Art.5(1)(a)	Lawfulness, fairness and transparency	PT-01 PT-02 PT-04 PT-05
Art.5(1)(b)	Purpose limitation	PT-01 PT-03 PT-05 PT-07 CM-13
Art.5(1)(c)	Data minimisation	AC-06 PT-07 CM-12
Art.5(1)(d)	Accuracy	SI-01 SI-06 SI-07 SI-10 SI-18
Art.5(1)(e)	Storage limitation	AC-16 AU-04 AU-11 PT-07 SI-12 CM-12
Art.5(1)(f)	Integrity and confidentiality	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-09 AC-13 AC-15 AU-09 IA-01 IA-04 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 SC-01 SC-02 SC-04 SC-07 SC-08 SI-01 SI-07 SI-09 SI-12 SC-28 SC-13
Art.5(2)	Accountability	AC-13 AT-04 AU-01 AU-02 AU-07 AU-10 PT-01 CM-13
Art.6(1)	Lawfulness of processing — general	PT-01 PT-02
Art.6(1)(a)	Lawfulness — consent as legal basis	PT-04
Art.6(1)(b)	Lawfulness — contractual necessity
Art.6(1)(c)	Lawfulness — legal obligation
Art.6(1)(f)	Lawfulness — legitimate interests
Art.6(4)	Lawfulness — compatibility of further processing	PT-03 PT-07 CM-13
Art.7(1)	Conditions for consent — demonstrability	PT-04 AU-02 AU-03
Art.7(2)	Conditions for consent — distinguishable request	PT-04
Art.7(3)	Conditions for consent — right to withdraw	PT-04
Art.8(1)	Child's consent in relation to information society services	PT-04
Art.9(1)	Processing of special categories of personal data — prohibition	AC-16 MP-03 PT-01 PT-03 PT-07
Art.9(2)	Processing of special categories — exceptions	PT-03
Art.12(1)	Transparent information, communication and modalities — transparency	AC-08 PT-01 PT-02 PT-05
Art.12(2)	Transparent information — facilitating exercise of data subject rights
Art.12(7)	Transparent information — standardised icons	PT-02
Art.13(1)	Information to be provided where data collected from data subject	AC-08 PT-01 PT-02 PT-05
Art.13(2)	Information to be provided — additional information for fair processing	PT-02
Art.14(1)	Information where data not obtained from data subject	PT-01 PT-02 PT-05
Art.14(2)	Information where data not obtained — additional details	PT-02
Art.15(1)	Right of access by the data subject
Art.15(3)	Right of access — copy of data
Art.16	Right to rectification	SI-18
Art.17(1)	Right to erasure ('right to be forgotten')	AU-11 MP-06 SI-12 SR-12
Art.17(2)	Right to erasure — notification to recipients
Art.18(1)	Right to restriction of processing
Art.19	Notification obligation regarding rectification or erasure or restriction
Art.20(1)	Right to data portability
Art.20(2)	Right to data portability — direct transmission
Art.21(1)	Right to object
Art.22(1)	Automated individual decision-making, including profiling	PT-08
Art.22(2)	Automated decision-making — exceptions allowing automated processing	PT-08
Art.22(3)	Automated decision-making — safeguards	PT-08
Art.22(4)	Automated decision-making — special categories	PT-08
Art.24(1)	Responsibility of the controller — appropriate measures	AC-01 AC-05 AT-04 AU-01 CA-01 CA-05 CA-06 PL-01 RA-01 PL-09 PL-10
Art.24(2)	Responsibility of the controller — data protection policies	AC-01 PL-09
Art.25(1)	Data protection by design	AC-01 CM-01 CM-02 CM-06 CM-07 PL-01 PL-02 PL-03 PL-06 PT-06 SA-01 SA-02 SA-03 SA-06 SA-07 SA-08 SA-10 SA-11 CM-12 CM-13
Art.25(2)	Data protection by default	AC-02 AC-03 AC-06 AC-14 CM-06 CM-07 PT-06 SA-08 SI-09
Art.28(1)	Processor obligations — sufficient guarantees	AC-20 PS-07 SA-03 SA-04 SA-09 SR-01 SR-02 SR-03 SR-09 SR-12
Art.28(2)	Processor obligations — sub-processor authorisation	SR-03
Art.28(3)	Processor obligations — binding contract terms	SA-04 SA-09 SR-01
Art.28(3)(a)	Processor contract — processing on documented instructions	AC-20 CA-03 SA-04 SR-04 SR-05 SR-07
Art.28(3)(b)	Processor contract — confidentiality obligations	MA-05 PS-03 PS-07
Art.28(3)(c)	Processor contract — security measures per Art. 32	SR-02
Art.28(3)(f)	Processor contract — audit and inspection rights	SR-08
Art.28(3)(g)	Processor contract — data deletion/return after services end	SR-12
Art.28(3)(h)	Processor contract — compliance demonstration and audit cooperation	SR-02 SR-04 SR-05 SR-06 SR-07 SR-10 SR-11
Art.28(4)	Processor obligations — sub-processor contract obligations	SR-01 SR-03 SR-09
Art.29	Processing under the authority of the controller or processor	AT-03 PL-04 PS-04 PS-05 PS-06 PS-09
Art.30(1)	Records of processing activities — controller	AU-01 AU-04 AU-07 CM-08 RA-02 SA-05 CM-12 CM-13
Art.30(1)(g)	Records of processing — security measures description	AU-02 AU-03
Art.30(2)	Records of processing activities — processor	AU-01 CM-13
Art.30(2)(d)	Records of processing — processor security measures description	SR-11
Art.32(1)	Security of processing — appropriate technical and organisational measures	RA-01 RA-03 SA-02 RA-07
Art.32(1)(a)	Security measures — pseudonymisation and encryption	AC-04 AC-17 AC-18 AC-19 CA-03 IA-05 IA-07 MA-04 MP-01 MP-04 MP-05 MP-06 SC-01 SC-03 SC-04 SC-07 SC-08 SC-09 SC-11 SC-12 SC-13 SC-14 SC-16 SC-17 SC-19 SC-20 SC-21 SC-22 SC-23 SI-12 SC-28
Art.32(1)(b)	Security measures — confidentiality, integrity, availability, resilience	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-18 AC-19 AC-20 AU-05 AU-09 CM-01 CM-02 CM-03 CM-05 CM-06 CM-07 CP-01 CP-02 CP-08 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 MA-01 MA-02 MA-03 MA-04 MP-02 PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-16 PE-17 PS-04 PS-05 SC-01 SC-02 SC-03 SC-05 SC-06 SC-07 SC-10 SC-15 SC-18 SC-23 SC-24 SI-01 SI-02 SI-03 SI-04 SI-07 SI-08 SI-11
Art.32(1)(c)	Security measures — restore availability and access after incident	CP-01 CP-02 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10
Art.32(1)(d)	Security measures — regular testing and evaluation	AC-07 AC-09 AC-13 AU-05 AU-06 CA-01 CA-02 CA-04 CA-05 CA-07 CM-03 CM-04 CP-02 CP-03 CP-04 CP-05 CP-10 IA-01 IA-02 IR-03 MA-02 MA-06 PE-06 RA-04 RA-05 SA-10 SA-11 SI-02 SI-04 SI-05 SI-06 CA-09
Art.32(2)	Security measures — risk assessment for appropriate level	AC-01 CA-01 RA-07
Art.32(4)	Security measures — personnel authorisation and confidentiality	AC-02 AT-03 MA-05 PS-01 PS-02 PS-03 PS-06 PS-07 PS-08 PS-09
Art.33(1)	Notification of breach to supervisory authority — 72 hours	AU-08 IR-01 IR-04 IR-06 IR-07
Art.33(2)	Notification of breach — processor to controller notification	IR-01 IR-02 IR-06 SR-08 IR-09
Art.33(3)	Notification of breach — content requirements	AU-02 IR-04
Art.33(3)(a)	Breach notification content — nature of breach	AU-03
Art.33(3)(b)	Breach notification content — DPO contact details	AU-03
Art.33(3)(d)	Breach notification content — measures taken	AU-06 IR-05
Art.33(4)	Breach notification — phased provision of information	IR-04
Art.33(5)	Breach notification — documentation requirement	IR-03 IR-05 IR-09
Art.34(1)	Communication of breach to data subject — high risk	IR-01 IR-04 IR-06 IR-07
Art.34(2)	Breach communication to data subject — content	IR-01 IR-07
Art.34(3)	Communication of breach to data subject — exceptions	IR-06
Art.35(1)	Data protection impact assessment — requirement	CA-02 CM-04 PL-02 PL-05 PL-06 PT-06 RA-01 RA-03 RA-08
Art.35(3)	DPIA — mandatory cases	RA-08
Art.35(7)	DPIA — minimum content	CA-02 PL-02 PL-05 PT-06 RA-08
Art.35(7)(a)	DPIA content — systematic description of processing	CM-08 RA-02 CM-12 CM-13
Art.35(7)(c)	DPIA content — risk assessment to data subjects	RA-03 RA-08
Art.35(11)	DPIA — review when processing changes	CA-07 RA-04
Art.36(1)	Prior consultation with supervisory authority	CA-06 PL-05
Art.37(1)	Designation of the data protection officer	PS-09
Art.38(3)	Position of the DPO — independence and non-dismissal
Art.39(1)	Tasks of the DPO	PS-09
Art.39(1)(b)	DPO tasks — monitoring compliance including training	AT-01 AT-02 AT-05 IR-02 PL-04 PS-01 AT-06
Art.44	General principle for transfers to third countries	AC-04 AC-17 MP-05 SA-09
Art.46(1)	Transfers subject to appropriate safeguards	AC-04 SA-09
Art.46(2)	Appropriate safeguards — specific instruments for transfers	SA-09
Art.47(2)(n)	Binding corporate rules — training content	AT-01 AT-02 AT-03 AT-06
Art.49(1)	Derogations for specific situations
Rec.78	Recital 78 — appropriate technical and organisational measures	AT-01 CM-01 MA-01 MP-01 PE-01 PS-01 SA-01 SA-08 CM-12 CM-13
Rec.83	Recital 83 — security measures including encryption	IA-07 SC-08 SC-09 SC-12 SC-13 SC-17 SC-28