Official GDPR Sources

The Official GDPR Sources: Your Trustworthy List

As we approach May 25 2018, the internet is becoming flooded by GDPR related articles (see eg. Google Trends for GDPR). This is the date from when the new EU General Data Protection Regulation (GDPR) goes into effect.

But in lot of cases you may find these articles contradictory, incomplete or subjective. Who to trust and how to make decisions is a dilemma for many. Find the truth below.

What is GDPR?

The aim of this article is not to declare the basics of the GDPR, but in a nutshell: it is the EU’s new data privacy regulation (General Data Protection Regulation). It governs how the data of European citizens must be handled and organisations handling personal data need to prove their compliance. Penalties may exceed 20 million Euros.

Which statement should you believe regarding GDPR?

At this point we should point out that currently no one has any real experience with the new GDPR as we are speaking of a regulation what will come into force in the future.

Of course, it makes sense to read blog posts, attend conferences, meetups or trainings about GDPR (eg. it may reduce the risk of receiving a large penalty), but the fact is that there is a lot of misinformation out there and rarely do they contain any references to the official sources.

Currently, anything beyond the official sources should be considered as an opinion!

If you want be sure, you have two options:

  1. Read the official sources

  2. At the very least, validate the information you’ve gathered elsewhere

It is not easy to differentiate the official pages from the simply “official looking” ones. Our aim is to create a list of the GDPR related official materials.

GDPR related official materials currently available

1. The official GDPR regulation

of 27 April 2016
On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(accessible in multiple languages)

Chapters of the regulation

The regulation is considerably long and, to be honest, from a UX perspective it’s a mess. If you read the whole regulation you will find that there are similarly looking parts almost repeated word-by-word, but it is intentional.

For easier orientation here is a clickable list of the GDPR chapters:

  1. General provisions

  2. Principles

  3. Rights of the data subject

  4. Controller and processor

  5. Transfers of personal data to third countries or international organisations

  6. Independent supervisory authorities

  7. Cooperation and consistency

  8. Remedies, liability and penalties

  9. Provisions relating to specific processing situations

  10. Delegated acts and implementing acts

  11. Final provisions

Hint: Very useful part: CHAPTER I Article 4 Definitions (eg. what is ‘personal data’)

2. WP29 guidelines

The aim of these guidelines from the Article 29 Working Party is to clarify the regulation and also provide best practice recommendations.
Among the guidelines there are already accepted and there are some adopted, but not accepted yet.

The accepted WP29 guidelines:

  1. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)

  2. Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)

  3. Guidelines on the application and setting of administrative fines (wp253).
    Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, wp253

  4. Guidelines on the Lead Supervisory Authority (wp244rev.01)

  5. Guidelines on Data Protection Officers ('DPOs') (wp243rev.01)

  6. Guidelines on the right to "data portability" (wp242rev.01)

  7. Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)
    Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, wp248rev.01

The adopted, but still to be finalized state WP29 guidelines:

  1. Guidelines on Consent under Regulation 2016/679 (wp259)

  2. Guidelines on Transparency under Regulation 2016/679 (wp260)

3. The local regulations

Member States may adopt specific rules, provide for exemptions or derogations or may further determine specific conditions regarding the GDPR. The effect of these legal changes is worth being subsequently monitored on the websites of Data Protection Authorities of the given Member State.

The list of National Data Protection Authorities:
Hint: You can turn to a National Data Protection Authority with your questions. They should answer for free and their answers are also official.

+ A bonus: WP29 Letters, Opinions and other documents for more details

In the spirit of a broad view we have to mention, that WP29 publishes also Letters, Opinions which are accessible on their website.


GDPR isn’t easy and even lawyers won't give you a guarantee if you are GDPR compliant or not and neither will this article. To be safeguard yourself, read the official sources instead of opinions and you can make decisions based on these trustworthy sources.

The good news: the content of these materials will not change in the near future.

We will produce more valuable GDPR articles soon, focusing on specific areas where we will try to reference to the official sources as much as it is possible. Stay tuned!

(Last update of the sources: 12 March 2018)


Do you have a Drupal website and you want it to be GDPR compliant?

Please get in touch and see how we can help.

Balázs Kántor
Published at: March 12th, 2018

Related tags: