46 sections · 381 audit questions · every article, annex and clause · v2016-05-04
This page lists every regulatory leaf of GDPR in the order it appears in the regulation — each article, annex and clause. The audit checklist treats every leaf as a separate audit row, including the permissive ones.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| Article 2 | Article | Material scope | 5 |
| Article 3 | Article | Territorial scope | 4 |
| Article 5 | Article | Principles relating to processing of personal data | 13 |
| Article 6 | Article | Lawfulness of processing | 15 |
| Article 7 | Article | Conditions for consent | 8 |
| Article 8 | Article | Conditions applicable to child's consent in relation to information society services | 3 |
| Article 9 | Article | Processing of special categories of personal data | 12 |
| Article 10 | Article | Processing of personal data relating to criminal convictions and offences | 2 |
| Article 11 | Article | Processing which does not require identification | 3 |
| Article 12 | Article | Transparent information, communication and modalities for the exercise of the rights of the data subject | 20 |
| Article 13 | Article | Information to be provided where personal data are collected from the data subject | 20 |
| Article 14 | Article | Information to be provided where personal data have not been obtained from the data subject | 28 |
| Article 15 | Article | Right of access by the data subject | 16 |
| Article 16 | Article | Right to rectification | 2 |
| Article 17 | Article | Right to erasure ('right to be forgotten') | 13 |
| Article 18 | Article | Right to restriction of processing | 6 |
| Article 19 | Article | Notification obligation regarding rectification or erasure of personal data or restriction of processing | 2 |
| Article 20 | Article | Right to data portability | 5 |
| Article 21 | Article | Right to object | 7 |
| Article 22 | Article | Automated individual decision-making, including profiling | 9 |
| Article 24 | Article | Responsibility of the controller | 3 |
| Article 25 | Article | Data protection by design and by default | 7 |
| Article 26 | Article | Joint controllers | 4 |
| Article 27 | Article | Representatives of controllers or processors not established in the Union | 5 |
| Article 28 | Article | Processor | 17 |
| Article 29 | Article | Processing under the authority of the controller or processor | 1 |
| Article 30 | Article | Records of processing activities | 16 |
| Article 31 | Article | Cooperation with the supervisory authority | 1 |
| Article 32 | Article | Security of processing | 11 |
| Article 33 | Article | Notification of a personal data breach to the supervisory authority | 13 |
| Article 34 | Article | Communication of a personal data breach to the data subject | 6 |
| Article 35 | Article | Data protection impact assessment | 14 |
| Article 36 | Article | Prior consultation | 7 |
| Article 37 | Article | Designation of the data protection officer | 7 |
| Article 38 | Article | Position of the data protection officer | 10 |
| Article 39 | Article | Tasks of the data protection officer | 10 |
| Article 40 | Article | Codes of conduct | 1 |
| Article 42 | Article | Certification | 1 |
| Article 44 | Article | General principle for transfers | 3 |
| Article 45 | Article | Transfers on the basis of an adequacy decision | 1 |
| Article 46 | Article | Transfers subject to appropriate safeguards | 10 |
| Article 47 | Article | Binding corporate rules | 17 |
| Article 48 | Article | Transfers or disclosures not authorised by Union law | 1 |
| Article 49 | Article | Derogations for specific situations | 13 |
| Article 88 | Article | Processing in the context of employment | 4 |
| Article 89 | Article | Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes | 5 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (381 questions, 5 artefact formats).