Section 1: General obligations
- Article 24 — Responsibility of the controller
- Article 25 — Data protection by design and by default
- Article 26 — Joint controllers
- Article 27 — Representatives of controllers or processors not established in the Union
- Article 28 — Processor
- Article 29 — Processing under the authority of the controller or processor
- Article 30 — Records of processing activities
- Article 31 — Cooperation with the supervisory authority
Section 2: Security of personal data
- Article 32 — Security of processing
- Article 33 — Notification of a personal data breach to the supervisory authority
- Article 34 — Communication of a personal data breach to the data subject
Section 3: Data protection impact assessment and prior consultation
- Article 35 — Data protection impact assessment
- Article 36 — Prior consultation
Section 4: Data protection officer
- Article 37 — Designation of the data protection officer
- Article 38 — Position of the data protection officer
- Article 39 — Tasks of the data protection officer
Section 5: Codes of conduct and certification
- Article 40 — Codes of conduct
- Article 41 — Monitoring of approved codes of conduct
- Article 42 — Certification
- Article 43 — Certification bodies