ComposableStack.AI CDP
Back to agent
Sourcesource.eur-lex-europa-eu.legal-content-en-txt-celex-32016r0679-2016

GDPR Regulation (EU) 2016/679 — EUR-Lex Official Journal

Primary text of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to processing of personal data and free movement of such data (GDPR). Published in the Official Journal of the EU: 4 May 2016, L 119/1–88. Establishes core GDPR principles (transparency, lawfulness, data minimization), individual rights (access, rectification, erasure, objection), and controller/processor obligations including DPIAs and security measures. Authoritative primary regulatory source for Art. 6 lawful bases, Art. 7 consent requirements, Art. 17 right to erasure, and Art. 22 automated decision-making restrictions. Tier-1 fetch returned preamble and recitals through Recital 84; full 99-article text in the Official Journal.

eur-lex.europa.eu — view original source
confidence 97%v1indexed Jun 4, 2026gdpr, regulation, eu, data-protection, privacy, consent, right-to-erasure, lawful-basis, dpia, automated-decision-making, eur-lex, primary-regulatory-text, article-7, article-17, article-22

Regulation (EU) 2016/679 — General Data Protection Regulation

Official EUR-Lex text of the General Data Protection Regulation (GDPR). The foundational EU data protection law establishing rules for processing personal information of individuals in the EU. Effective 25 May 2018.

Published: 27 April 2016 (signed); Official Journal of the European Union, 4 May 2016, L 119/1–88.

Regulatory scope: Applies to processing of personal data by organizations operating in the EU or processing data about EU residents, regardless of organization location.

Key Provisions Relevant to CDP Governance

Article 6 — Lawful bases for processing. Processing is only lawful if at least one of six bases applies: (a) consent, (b) contract performance, (c) legal obligation, (d) vital interests, (e) public task, (f) legitimate interest. CDPs relying on consent must satisfy Art. 7 conditions; those relying on legitimate interest require a balancing test.

Article 7 — Conditions for consent. Consent must be freely given, specific, informed, and unambiguous. Demonstrated by a clear affirmative act. Pre-ticked boxes and inactivity do not constitute valid consent. Data subjects may withdraw consent at any time; withdrawal must be as easy as giving consent. Also covered by companion source node source.gdpr-info-eu.art-7-gdpr-2016 (secondary, accessible interpretation layer).

Article 17 — Right to erasure ("right to be forgotten"). Data subjects have the right to obtain erasure of their personal data where: data is no longer necessary, consent is withdrawn and no other lawful basis applies, or the individual objects and there is no overriding legitimate ground. For CDPs: deletion obligations cascade across connected CDW tables, reverse-ETL destinations, and ad-platform custom audiences. Covered by companion source node source.gdpr-info-eu.art-17-gdpr-2016.

Article 22 — Automated individual decision-making including profiling. Data subjects have the right not to be subject to solely automated decisions that produce significant legal effects or similarly significant impact. CDPs operating AI-driven decisioning (recommendation engines, propensity scoring for credit/insurance, automated segmentation with downstream legal consequences) must implement human oversight mechanisms.

Fetch note: This Tier-1 fetch returned the regulation preamble and recitals through approximately Recital 84. The full 99-article normative text is in the Official Journal PDF. The preamble and recitals provide authoritative interpretive context for the articles. This URL had previously returned HTTP 403 from this routine's execution environment across multiple runs (May 2026); the fetch was successful on 2026-06-04.