| Recital 1 | – | Data protection as a fundamental right |
| Recital 2 | – | Respect of the fundamental rights and freedoms |
| Recital 3 | – | Directive 95/46/EC harmonisation |
| Recital 4 | – | Data protection in balance with other fundamental rights |
| Recital 5 | – | Cooperation between Member States to exchange personal data |
| Recital 6 | – | Ensuring a high level of data protection despite the increased exchange of data |
| Recital 7 | – | The framework is based on control and certainty |
| Recital 8 | – | Adoption into national law |
| Recital 9 | – | Different standards of protection by the Directive 95/46/EC |
| Recital 10 | – | Harmonised level of data protection despite national scope |
| Recital 11 | – | Harmonisation of the powers and sanctions |
| Recital 12 | – | Authorization of the European Parliament and the Council |
| Recital 13 | – | Taking account of micro, small and medium-sized enterprises |
| Recital 14 | – | Not applicable to legal persons |
| Recital 15 | – | Technology neutrality |
| Recital 16 | – | Not applicable to activities regarding national and common security |
| Recital 17 | – | Adaptation of Regulation (EC) No 45/2001 |
| Recital 18 | – | Not applicable to personal or household activities |
| Recital 19 | – | Not applicable to criminal prosecution |
| Recital 20 | – | Respecting the independence of the judiciary |
| Recital 21 | – | Liability rules of intermediary service providers shall remain unaffected |
| Recital 22 | – | Processing by an establishment |
| Recital 23 | – | Applicable to processors not established in the Union if data subjects within the Union are targeted |
| Recital 24 | – | Applicable to processors not established in the Union if data subjects within the Union are profiled |
| Recital 25 | – | Applicable to processors due to international law |
| Recital 26 | – | Not applicable to anonymous data |
| Recital 27 | – | Not applicable to data of deceased persons |
| Recital 28 | – | Introduction of pseudonymisation |
| Recital 29 | – | Pseudonymisation at the same controller |
| Recital 30 | – | Online identifiers for profiling and identification |
| Recital 31 | – | Not applicable to public authorities in connection with their official tasks |
| Recital 32 | – | Conditions for consent |
| Recital 33 | – | Consent to certain areas of scientific research |
| Recital 34 | – | Genetic data |
| Recital 35 | – | Health data |
| Recital 36 | – | Determination of the main establishment |
| Recital 37 | – | Enterprise group |
| Recital 38 | – | Special protection of children’s personal data |
| Recital 39 | – | Principles of data processing |
| Recital 40 | – | Lawfulness of data processing |
| Recital 41 | – | Legal basis or legislative measures |
| Recital 42 | – | Burden of proof and requirements for consent |
| Recital 43 | – | Freely given consent |
| Recital 44 | – | Performance of a contract |
| Recital 45 | – | Fulfillment of legal obligations |
| Recital 46 | – | Vital interests of the data subject |
| Recital 47 | – | Overriding legitimate interest |
| Recital 48 | – | Overriding legitimate interest within group of undertakings |
| Recital 49 | – | Network and information security as overriding legitimate interest |
| Recital 50 | – | Further processing of personal data |
| Recital 51 | – | Protecting sensitive personal data |
| Recital 52 | – | Exceptions to the prohibition on processing special categories of personal data |
| Recital 53 | – | Processing of sensitive data in health and social sector |
| Recital 54 | – | Processing of sensitive data in public health sector |
| Recital 55 | – | Public interest in processing by official authorities for objectives of recognized religious communities |
| Recital 56 | – | Processing personal data on people’s political opinions by parties |
| Recital 57 | – | Additional data for identification purposes |
| Recital 58 | – | The principle of transparency |
| Recital 59 | – | Procedures for the exercise of the rights of the data subjects |
| Recital 60 | – | Information obligation |
| Recital 61 | – | Time of information |
| Recital 62 | – | Exceptions to the obligation to provide information |
| Recital 63 | – | Right of access |
| Recital 64 | – | Identity verification |
| Recital 65 | – | Right of rectification and erasure |
| Recital 66 | – | Right to be forgotten |
| Recital 67 | – | Restriction of processing |
| Recital 68 | – | Right of data portability |
| Recital 69 | – | Right to object |
| Recital 70 | – | Right to object to direct marketing |
| Recital 71 | – | Profiling |
| Recital 72 | – | Guidance of the European Data Protection Board regarding profiling |
| Recital 73 | – | Restrictions of rights and principles |
| Recital 74 | – | Responsibility and liability of the controller |
| Recital 75 | – | Risks to the rights and freedoms of natural persons |
| Recital 76 | – | Risk assessment |
| Recital 77 | – | Risk assessment guidelines |
| Recital 78 | – | Appropriate technical and organisational measures |
| Recital 79 | – | Allocation of the responsibilities |
| Recital 80 | – | Designation of a representative |
| Recital 81 | – | The use of processors |
| Recital 82 | – | Record of processing activities |
| Recital 83 | – | Security of processing |
| Recital 84 | – | Risk evaluation and impact assessment |
| Recital 85 | – | Notification obligation of breaches to the supervisory authority |
| Recital 86 | – | Notification of data subjects in case of data breaches |
| Recital 87 | – | Promptness of reporting / notification |
| Recital 88 | – | Format and procedures of the notification |
| Recital 89 | – | Elimination of the general reporting requirement |
| Recital 90 | – | Data protection impact assessement |
| Recital 91 | – | Necessity of a data protection impact assessment |
| Recital 92 | – | Broader data protection impact assessment |
| Recital 93 | – | Data protection impact assessment at authorities |
| Recital 94 | – | Consultation of the supervisory authority |
| Recital 95 | – | Support by the processor |
| Recital 96 | – | Consultation of the supervisory authority in the course of a legislative process |
| Recital 97 | – | Data protection officer |
| Recital 98 | – | Preparation of codes of conduct by organisations and associations |
| Recital 99 | – | Consultation of stakeholders and data subjects in the development of codes of conduct |
| Recital 100 | – | Certification |
| Recital 101 | – | General principles for international data transfers |
| Recital 102 | – | International agreements for an appropriate level of data protection |
| Recital 103 | – | Appropriate level of data protection based on an adequacy decision |
| Recital 104 | – | Criteria for an adequacy decision |
| Recital 105 | – | Consideration of international agreements for an adequacy decision |
| Recital 106 | – | Monitoring and periodic review of the level of data protection |
| Recital 107 | – | Amendment, revocation and suspension of adequacy decisions |
| Recital 108 | – | Appropriate safeguards |
| Recital 109 | – | Standard data protection clauses |
| Recital 110 | – | Binding corporate rules |
| Recital 111 | – | Exceptions for certain cases of international transfers |
| Recital 112 | – | Data transfers due to important reasons of public interest |
| Recital 113 | – | Transfers qualified as not repetitive and that only concern a limited number of data subjects |
| Recital 114 | – | Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision |
| Recital 115 | – | Rules in third countries contrary to the Regulation |
| Recital 116 | – | Cooperation among supervisory authorities |
| Recital 117 | – | Establishment of supervisory authorities |
| Recital 118 | – | Monitoring of the supervisory authorities |
| Recital 119 | – | Organisation of several supervisory authorities of a Member State |
| Recital 120 | – | Features of supervisory authorities |
| Recital 121 | – | Independence of the supervisory authorities |
| Recital 122 | – | Responsibility of the supervisory authorities |
| Recital 123 | – | Cooperation of the supervisory authorities with each other and with the Commission |
| Recital 124 | – | Lead authority regarding processing in several Member States |
| Recital 125 | – | Competences of the lead authority |
| Recital 126 | – | Joint decisions |
| Recital 127 | – | Information of the supervisory authority regarding local processing |
| Recital 128 | – | Responsibility regarding processing in the public interest |
| Recital 129 | – | Tasks and powers of the supervisory authorities |
| Recital 130 | – | Consideration of the authority with which the complaint has been lodged |
| Recital 131 | – | Attempt of an amicable settlement |
| Recital 132 | – | Awareness-raising activities and specific measures |
| Recital 133 | – | Mutual assistance and provisional measures |
| Recital 134 | – | Participation in joint operations |
| Recital 135 | – | Consistency mechanism |
| Recital 136 | – | Binding decisions and opinions of the Board |
| Recital 137 | – | Provisional measures |
| Recital 138 | – | Urgency procedure |
| Recital 139 | – | European Data Protection Board |
| Recital 140 | – | Secretariat and staff of the Board |
| Recital 141 | – | Right to lodge a complaint |
| Recital 142 | – | The right of data subjects to mandate a not-for-profit body, organisation or association |
| Recital 143 | – | Judicial remedies |
| Recital 144 | – | Related proceedings |
| Recital 145 | – | Choice of venue |
| Recital 146 | – | Indemnity |
| Recital 147 | – | Jurisdiction |
| Recital 148 | – | Penalties |
| Recital 149 | – | Penalties for infringements of national rules |
| Recital 150 | – | Administrative fines |
| Recital 151 | – | Administrative fines in Denmark and Estonia |
| Recital 152 | – | Power of sanction of the Member States |
| Recital 153 | – | Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression |
| Recital 154 | – | Principle of public access to official documents |
| Recital 155 | – | Processing in the employment context |
| Recital 156 | – | Processing for archiving, scientific or historical research or statistical purposes |
| Recital 157 | – | Information from registries and scientific research |
| Recital 158 | – | Processing for archiving purposes |
| Recital 159 | – | Processing for scientific research purposes |
| Recital 160 | – | Processing for historical research purposes |
| Recital 161 | – | Consenting to the participation in clinical trials |
| Recital 162 | – | Processing for statistical purposes |
| Recital 163 | – | Production of European and national statistics |
| Recital 164 | – | Professional or other equivalent secrecy obligations |
| Recital 165 | – | No prejudice of the status of churches and religious associations |
| Recital 166 | – | Delegated acts of the Commission |
| Recital 167 | – | Implementing powers of the Commission |
| Recital 168 | – | Implementing acts on standard contractual clauses |
| Recital 169 | – | Immediately applicable implementing acts |
| Recital 170 | – | Principle of subsidiarity and principle of proportionality |
| Recital 171 | – | Repeal of Directive 95/46/EC and transitional provisions |
| Recital 172 | – | Consultation of the European Data Protection Supervisor |
| Recital 173 | – | Relationship to Directive 2002/58/EC |