Chapter IV - Controller and processor

Article 24 - Responsibility of the controller
Responsibilities of the controller in personal data processing
Implementation of appropriate data protection policies by the controller
Obligations fulfillment by the controller

Article 25 - Data protection by design and by default
Implementation of the appropriate technical and organisational measures
Processing of the personal data “by default”
Approved certification mechanism pursuant to Article 42

Article 26 - Joint controllers
Personal data processing by the joint controllers
Respective roles and relationships of the joint controllers vis-à-vis the data subjects
Exercising his or her rights under this Regulation in respect of and against each of the controllers

Article 27 - Representatives of controllers or processors not established in the Union
Designation of the representative in the Union
Limitation of applying the obligations in terms of Article 27, paragraph 1 of the regulation
Assignation of the place of activity of the controller outside the EU
Delegation scope of the controller or processor
Legal instruments of remedies against the controller or processor

Article 28 - Processor
Guaranties of the processor for implementing the adequate measurements
Conditions for engagement of the other processor to data processing
Minimal scope of the contract essentials between the Controller and Processor
Designation of the identical scope of the responsibilities fot the other processor
Certification mechanism as referred to in Article 42 of the processor
Standard contract clauses between the Controller and Processor
Setting the standard contract clauses settled by the Commission
Standard contractual clauses settled by the supervisory authority
Contract or other legal document in terms of the Article 28, paragraphs 3 and 4 of the regulation
Consequences of misconducting the purposes and instruments in the process of personal data processing by the processor

Article 29 - Processing under the authority of the controller or processor
Obligation of the processor to accept the instructions of the controller

Article 30 - Records of processing activities
Mandatory scope of the records
A record of all categories of processing activities carried out on behalf of a controller
Format of the records in terms of the Article 30, pragraphs 1 and 2 of the regulation
Making the record available to the supervisory authority on request
Exemption from the obligations in terms of the Article 30, paragraph 1 and 2 of the regulation

Article 31 - Cooperation with the supervisory authority
Cooperation with the supervisory authority

Article 32 - Security of processing
Implementation of the appropriate technical and organisational measures
Assessing the appropriate level of security account
Approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42
Ensuring the compliance in activities on behalf the Controller or Processor in context of the regulation

Article 33 - Notification of a personal data breach to the supervisory authority
Period for personal data breach declaration
Data breach notification to the controller
Minimal content of the personal data breach notification
Notification of the additional information in context of the personal data protection
Documentary measurements in personal data protection breach

Article 34 - Communication of a personal data breach to the data subject
Notification of the personal data breach to the data subject
Form of the personal data breach notification in terms of the Article 34, paragraph 1 of the regulation
Exemption from the obligation to notify the data subject
Competency of the supervisory authority in context of the notification obligation of the controller

Article 35 - Data protection impact assessment
Type of processing that requires the DPIA – general provision
Cooperation between the controller and data protection officer
Processing that requires the obligatory DPIA
List of the kind of processing operations which are subject to the requirement for a data protection impact assessment
List of the kind of processing operations for which no data protection impact assessment is required
Consistency mechanism referred to in Article 63
Minimal content of the DPIA
Assessing the impact of the processing operations performed by such controllers or processors
Views of data subjects or their representatives on the intended processing
Exemption from processing the DPIA
Situation where the DPIA is necessary

Article 36 - Prior consultation
Conditions that requires the prior consultations with supervisory authority
Competency of the supervisory authority in case of specific situations
Information provided to the consulting the supervisory authority pursuant to paragraph 1
Consultations during the preparation of a proposal for a legislative measure
Consultations with the supervisory authority in the area of the social policy and public health policy

Article 37 - Designation of the data protection officer
Obligatory designation of the data protection officer (DPO)
Appointing the single data protection officer providing that a data protection officer is easily accessible
Designation of a single data protection officer may be designated for several such authorities or bodies
Facultative designation of the DPO
Basic requirements for the DPO status
Appointment of the employee to DPO position
Publication of the contact details of the data protection officer

Article 38 - Position of the data protection officer
Responsibility of the controller and processor in context of the DPO
Supporting the data protection officer in performing the tasks referred to in Article 39
Organizational status of the DPO
Contacting the DPO
Secrecy obligation of the DPO
DPO and its other tasks duties

Article 39 - Tasks of the data protection officer
Responsibility o the data protection officer
Other tasks of the DPO

Article 40 - Codes of conduct
Encouraging the drawing up of codes of conduct intended to contribute to the proper application of this Regulation
Codes of conduct
Implementation of the codes of conduct by subjects, that are outside the scope of this regulation
Mandatory monitoring of compliance
Submitting the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55
Registration and publication of the code
Submitting the code or draft of the code to the Board
Submitting the code or draft of the code to the Board
Designation of the general validity of the approved code of conduct
Publication of the valid and approved codes of conduct
Collecting all approved codes of conduct, amendments and extensions in a register

Article 41 - Monitoring of approved codes of conduct
Monitoring of compliance with a code of conduct pursuant to Article 40
Basic criteria for accreditation
Submitting the draft criteria for an accreditation of a body
Measurements in case of breaching the code of conduct by the Controller or Processor
Reasons for an accreditation withdrawal
Limitation of Article 41 application in context of the public authorities and bodies

Article 42 - Certification
Support in the process of certification mechanisms implementation
Demonstrating the existence of appropriate safeguards provided by controllers or processors
Transparent certification process
Responsibility of the Controller and Processor in process of the certification
Common certification and the European Data Protection Seal
Providing the information and access which are necessary to conduct the certification procedure
Certification validity period and prolongation
Certification mechanisms and data protection seals and marks publication

Article 43 - Certification bodies
Issuing and renewal of the certification
Accreditation conditions for the accreditation subjects
Implementation criteria for the accreditation process of the Certification subject
Validity of the accreditation and renewal conditions
Information obligation of the Certification subject
Certification criteria publications
Accreditation of a certification body revocation
Certification requirements settled by the Commission
Technical norms for the certifications mechanisms, seals and marks