Section 1: General obligations

  • Article 24 — Responsibility of the controller
  • Article 25 — Data protection by design and by default
  • Article 26 — Joint controllers
  • Article 27 — Representatives of controllers or processors not established in the Union
  • Article 28 — Processor
  • Article 29 — Processing under the authority of the controller or processor
  • Article 30 — Records of processing activities
  • Article 31 — Cooperation with the supervisory authority

Section 2: Security of personal data

  • Article 32 — Security of processing
  • Article 33 — Notification of a personal data breach to the supervisory authority
  • Article 34 — Communication of a personal data breach to the data subject

Section 3: Data protection impact assessment and prior consultation

  • Article 35 — Data protection impact assessment
  • Article 36 — Prior consultation

Section 4: Data protection officer

  • Article 37 — Designation of the data protection officer
  • Article 38 — Position of the data protection officer
  • Article 39 — Tasks of the data protection officer

Section 5: Codes of conduct and certification

  • Article 40 — Codes of conduct
  • Article 41 — Monitoring of approved codes of conduct
  • Article 42 — Certification
  • Article 43 — Certification bodies