Chapter IV - Controller and processor

Article 24 - Responsibility of the controller
Responsibilities of the controller relating to the personal data processing
Implementation of an appropriate data protection policies by the controller
Possibilities of declaring the obligations fulfilment

Article 25 - Data protection by design and by default
Implementation of the appropriate technical and organisational measures
Processing of the personal data “by default”
Approved certification mechanism pursuant to Article 42

Article 26 - Joint controllers
Personal data processing by the joint controllers
Respective roles and relationships of the joint controllers vis-à-vis the data subjects
Exercising the rights of the data subject against each of the controllers

Article 27 - Representatives of controllers or processors not established in the Union
Designating the representative of the controller or processor
Limitation of the obligation laid down in the Article 27, paragraph 1
Designating the place of activity of the controller, that is settled outside the EU
Defining the delegation scope of the controller or processor
Legal instruments of the remedies against the controller or processor

Article 28 - Processor
Guaranties of the processor for implementing the adequate protective measurements
Conditions for engaging the other processor to the data processing
Minimal scope of the contract essentials between the Controller and Processor
Designation of the identical scope of the responsibilities for the other processor
Certification mechanism as referred to in Article 42
Basic Standard contract clauses between the Controller and Processor
Setting the standard contract clauses settled by the Commission
Standard contractual clauses that are settled by the supervisory authority
Contract or any other legal document in terms of the Article 28, paragraphs 3 and 4
Consequences of misconducting the purposes and instruments in the process of personal data processing by the processor

Article 29 - Processing under the authority of the controller or processor
Obligation of the processor to comply with the instructions of the controller

Article 30 - Records of processing activities
Mandatory scope of the processing activities record
A record of all the processing activities categories, that are carried on behalf of a controller
Form of the records according to Article 30, paragraphs 1 and 2
Making the records available to the supervisory authority if needed
Exemption from the obligations listed in the Article 30, paragraph 1 and 2

Article 31 - Cooperation with the supervisory authority
Cooperation with the supervisory authority

Article 32 - Cooperation with the supervisory authority
Implementation of the appropriate technical and organisational measures
Assessing the appropriate level of the security account
Adherence to an approved code of conduct as referred to in Article 40
Ensuring the activities compliance of any natural person, acting under the authority of controller or processor

Article 33 - Notification of a personal data breach to the supervisory authority
Period for declaring the personal data breach
Notification the data breach to the controller
The minimal content of the personal data breach notification
Additional information relating to the personal data breach notification
Documentary measures relating to the personal data breach

Article 34 - Communicating the personal data breach with the data subject
Communication the personal data breach to the data subject
Notification method in context of the Article 34, paragraph 1 of the regulation
Situation where the notification obligation shall not apply
Competencies of the supervisory authority, in relation to the personal data breach notification

Article 35 - Data protection impact assessment
Personal data processing that require the DPIA – general provision
Cooperation between the controller and data protection officer
Processing that requires the obligatory DPIA
List of processing operations which require an obligatory data protection impact assessment
List of the kind of processing operations for which no data protection impact assessment is required
Consistency mechanism referred to in Article 63
Minimal content of the DPIA
Assessing the impact of the processing performed by such controllers or processors
Gathering the opinions of data subjects or their representatives
Situations where the DPIA need not to be done
Situation where the DPIA might be necessary

Article 36 - Prior consultation
Situations that require the prior consultations with the supervisory authority
Competency of the supervisory authority in case of the specific situations
Information provided for the supervisory authority by the controller
Consultations during the legislative process
Supervisory authority consultation relating to social policy and public health policy

Article 37 - Designation of the data protection officer
Compulsory designation of the data protection officer (DPO)
Appointing the Data protection officer by the group of undertakings
Appointing the Data protection officer by the public authority or body
Optional designation of the Data protection officer
Basic requirements for the Data protection officer job position
Appointing the employee to the position of the Data protection officer
Publishing the data of the designated data protection officer

Article 38 - Position of the data protection officer
Responsibility of the controller and processor in context of the Data protection officer
Providing the support for the data protection officer
Organizational status of the Data protection officer
Contacting the Data protection officer
The confidentiality obligation of the Data protection officer
The Data protection officer and it´s other tasks and duties

Article 39 - Tasks of the data protection officer
Responsibility of the data protection officer
Some other tasks of the Data protection officer

Article 40 - Codes of conduct
Support in working out the codes of conduct
Codes of conduct
Implementation of the codes of conduct by those subjects, which are outside the scope of this regulation
Monitoring the compliance of the codes of conduct
Assessment of the code of conduct by the supervisory authority
Registration and publication of the code of conduct
Submitting the code of conduct to the Board
Submitting the code of conduct to the Board
Determination of the general validity of the approved code of conduct
Publication of the generally valid and approved codes of conduct
Collecting publishing all the approved codes of conduct by the Board

Article 41 - Monitoring of approved codes of conduct
Monitoring the compliance with a code of conduct by the designated subject
Basic criteria for an accreditation of a designated subject
Submitting the draft for the accreditation process
Measurements taken in the situations when the code of conduct id breached by the Controller or Processor
Reasons for withdrawal of the accreditation
Scope limitation of the Article 41 in context of the public authorities and bodies

Article 42 - Certification
Supporting the certification mechanisms process
Demonstrating the existence of an appropriate safeguards, provided by the controllers or processors that are not subject to this Regulation pursuant to Article 3
Transparency rules in the certification process
Responsibility of the Controller and Processor relating to the certification process
Common certification and the European Data Protection Seal
Providing the information and access, that are essential for the certification procedure
Validity of the certificate and it´s prolongation
Publication of the certification mechanisms, data protection seals and data protection marks

Article 43 - Certification bodies
Issuing the certification
Accreditation conditions in relation to the certification subjects
Implementation criteria of the certification subjects accreditation process
Validity of the accreditation and it´s prolongation
Information obligation of the certification subjects
Publishing the certification criteria
Revocation of the accreditation
Determination of the certification requirements
Technical specifications for the certification mechanisms, seals and marks