Listen to this page: audio icon

GDPR Chapters with Sections & Articles

GDPR is the acronym for the European Union General Data Protection Regulations - This is an external link..

Chapter 4. Controller and Processor (Articles 24-43)

Covers the general obligations and necessary security measures of data controllers and processors, as well as data protection impact assessments, the role of the data protection officer, codes of conduct, and certifications.

Section 1 – General Obligations

Article 24 – Responsibility of the controller - This is an external link.
The controller has to ensure that processing is in accordance with this Regulation.
Article 25 – Data protection by design and by default - This is an external link.
Controllers must implement data protection principles in an effective manner and integrate necessary safeguards to protect rights of data subjects.
Article 26 – Joint controllers - This is an external link.
When there are two or more controllers they have to determine their respective responsibilities for compliance.
Article 27 – Representatives of controllers or processors not established in the Union - This is an external link.
When the controller and processor are not in the Union, in most cases they have to establish a representative in the Union.
Article 28 – Processor - This is an external link.
When processing is carried out on behalf of a controller, the controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organizational measures that will meet GDPR requirements.
Article 29 – Processing under the authority of the controller or processor - This is an external link.
Processors can only process data when instructed by the controller.
Article 30 – Records of processing activities - This is an external link.
Each controller or their representatives needs to maintain a record of processing activities and all categories of processing activities.
Article 31 – Cooperation with the supervisory authority - This is an external link.
The controller and processor have to cooperate with supervisory authorities.

Section 2 – Security of Personal Data

Article 32 – Security of processing - This is an external link.
The controller and processor must ensure a level of security appropriate to the risk.
Article 33 – Notification of a personal data breach to the supervisory authority - This is an external link.
In the case of a breach, the controller has to notify the supervisory authority within 72 hours, unless the breach is unlikely to result in risk to people. And the processor needs to notify the controller immediately.
Article 34 – Communication of a personal data breach to the data subject - This is an external link.
When a breach is likely to cause risk to people, the controller has to notify data subjects immediately.

Section 3 – Data Protection Impact Assessment and Prior Consultation

Article 35 – Data protection impact assessment - This is an external link.
When a type of processing, especially with new technologies, is likely to result in a high risk for people, an assessment of the impact of the processing needs to be done.
Article 36 – Prior consultation - This is an external link.
The controller needs to consult the supervisory authority when an impact assessment suggests there will be high risk if further action is not taken. The supervisory authority must provide advice within eight weeks of receiving the request for consultation.

Section 4 – Data Protection Officer

Article 37 – Designation of the data protection officer - This is an external link.
The controller and processor must designate a data protection officer (DPO) if processing is carried out by a public authority, processing operations require the systematic monitoring of data subjects, or core activities of the controller or processor consist of processing personal data relating to criminal convictions or on a large scale of special categories of data pursuant to Article 9.
Article 38 – Position of the data protection officer - This is an external link.
The DPO must be involved in all issues which relate to the protection of personal data. The controller and processor must provide all necessary support for the DPO to do their tasks and not provide instruction regarding those tasks.
Article 39 – Tasks of the data protection officer - This is an external link.
The DPO must inform and advise the controller and processor and their employees of their obligations, monitor compliance, provide advice, cooperate with the supervisory authority, and act as the contact point for the supervisory authority.

Section 5 – Codes of Conduct and Certification

Article 40 – Codes of conduct - This is an external link.
Member States, the supervisory authorities, the Board, and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR.
Article 41 – Monitoring of approved codes of conduct - This is an external link.
A body with adequate expertise in the subject-matter and is accredited to do so by the supervisory authority can monitor compliance with a code of conduct.
Article 42 – Certification - This is an external link.
Member States, the supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms to demonstrate compliance.
Article 43 – Certification bodies - This is an external link.
Certification bodies accredited by Member States can issue and renew certifications.
References

▲ Top