Reference - Numbers cheat-sheet

Reference · Key Articles, thresholds & timeframes cheat-sheet

The single highest-yield recall sheet for the exam: the article numbers, thresholds and timeframes that scenario questions hinge on. Drill these until they are automatic.

Definitions (Article 4) and core concepts
Concept	Article
Personal data	Art 4(1)
Processing	Art 4(2)
Restriction of processing	Art 4(3)
Controller / Processor	Art 4(7) / 4(8)
Personal data breach	Art 4(12)
Biometric data	Art 4(14)
Cross-border processing	Art 4(23)

Principles, lawful bases, scope
Topic	Article
Material scope / Territorial scope	Art 2 / Art 3 (3(1) establishment; 3(2) targeting & monitoring)
The seven principles	Art 5
Six lawful bases	Art 6
Conditions for consent / Children's consent	Art 7 / Art 8 (16, Member States may lower to 13)
Special-category data / Criminal data / No-ID processing	Art 9 / Art 10 / Art 11

Transparency, rights, accountability
Topic	Article
Transparency / Info if collected directly / indirectly	Art 12 / Art 13 / Art 14
Access · Rectification · Erasure	Art 15 · 16 · 17
Restriction · Portability · Object · Automated decisions	Art 18 · 20 · 21 · 22
Accountability / DP by design & default	Art 24 / Art 25
EU representative / Processor contract	Art 27 / Art 28
Records of processing	Art 30 (threshold: 250 employees, plus other triggers)
Security of processing	Art 32 (CIAR)
Breach: notify SA / inform data subjects	Art 33 (72 hours) / Art 34 (high risk)
DPIA / Prior consultation	Art 35 / Art 36
DPO (designation, position, tasks)	Art 37–39

Transfers, enforcement, money
Topic	Article / figure
International transfers	Chapter V (Art 44–49)
Adequacy / Appropriate safeguards / BCRs / Derogations	Art 45 / 46 / 47 / 49
Third-country authority orders	Art 48
Representation by bodies / Compensation	Art 80 / Art 82
Supervisory-authority powers	Art 58 (investigative, corrective, authorisation/advisory)
Administrative fines - two tiers	Art 83: €10m or 2% / €20m or 4% (whichever is higher)

Timeframes & dates to lock in
Item	Value
Respond to a data-subject request (access, rectification, etc.)	1 month (extendable by 2 for complex requests)
Notify the supervisory authority of a breach	72 hours (where feasible)
GDPR fully effective	25 May 2018
Certification validity	Up to 3 years (renewable)
NIS2 effective	17 January 2025
Children's consent age (Art 8)	16, Member States may lower to 13

Key terms - quick answers

What is “Chapter V”?

The GDPR chapter (Articles 44–49) governing transfers of personal data to third countries and international organisations.

← Reference · Landmark CJEU/ECtHR cases & major fines