By now, the General Data Protection Regulation (GDPR) has become familiar to anyone handling legal matters related to privacy and data protection. The GDPR imposes obligations on organizations—regardless of their geographical location—that target or collect data on European Union citizens. However, someone unfamiliar with the regulation may find it difficult to grasp—the document contains 99 articles and 173 recitals!
As mentioned, the GDPR consists of two components: the articles and recitals. The articles constitute the legal requirements organizations must follow to demonstrate compliance. The recitals provide additional information and supporting context to supplement the articles.
The European Data Protection Board—formerly Article 29 Working Party—relies on the recitals to interpret the articles. Furthermore, the Court of Justice of the European Union reviews the recitals to decide the meaning and application of the GDPR.
Through the recitals, organizations learn when and how to comply with the GDPR. For instance, the recitals answer questions such as “When should my company report a breach?” and “When is it necessary to report a loss of data?”
For example, Recital 32 supplements Article 4(11) and provides a detailed discussion of the definition “consent.”
Article 4(11) states “‘[c]onsent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”