My favourites

Chapter IV – Controller and processor (Art. 24-43)

Art. 24 GDPR - Responsibility of the controller arrow_right_alt

Art. 25 GDPR - Data protection by design and by default arrow_right_alt

Art. 26 GDPR - Joint controllers arrow_right_alt

Art. 27 GDPR - Representatives of controllers or processors not established in the Union arrow_right_alt

Art. 28 GDPR - Processor arrow_right_alt

Art. 29 GDPR - Processing under the authority of the controller or processor arrow_right_alt

Art. 30 GDPR - Records of processing activities arrow_right_alt

Art. 31 GDPR - Cooperation with the supervisory authority arrow_right_alt

Art. 32 GDPR - Security of processing arrow_right_alt

Art. 33 GDPR - Notification of a personal data breach to the supervisory authority arrow_right_alt

Art. 34 GDPR - Communication of a personal data breach to the data subject arrow_right_alt

Art. 35 GDPR - Data protection impact assessment arrow_right_alt

Art. 36 GDPR - Prior consultation arrow_right_alt

Art. 37 GDPR - Designation of the data protection officer arrow_right_alt

  1. The controller and the processor shall designate a data protection officer in any case where:
    1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
  2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
  3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
  4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
  5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
  6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
  7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Related
Close tabsclose
  • 97

Recital 97

Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Art. 38 GDPR - Position of the data protection officer arrow_right_alt

Art. 39 GDPR - Tasks of the data protection officer arrow_right_alt

Art. 40 GDPR - Codes of conduct arrow_right_alt

Art. 41 GDPR - Monitoring of approved codes of conduct arrow_right_alt

Art. 42 GDPR - Certification arrow_right_alt

Art. 43 GDPR - Certification bodies arrow_right_alt