Title III — Obligations of Controllers and Processors
This title sets out the obligations imposed on data controllers and processors.
Chapter 1 — General Obligations
| Article | Title | Description |
|---|---|---|
| Article 15 | Responsibility of the Controller | The controller shall implement appropriate technical and organisational measures to ensure that processing is performed in accordance with this Code and shall be able to demonstrate such compliance. |
| Article 16 | Data Protection by Design and by Default | Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the... |
| Article 17 | Records of Processing Activities | Each controller shall maintain a record of processing activities under its responsibility. That record shall contain the following information:. |
| Article 18 | Security of Processing | Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller... |
Chapter 2 — Data Breach and Impact Assessment
| Article | Title | Description |
|---|---|---|
| Article 19 | Notification of Personal Data Breach | In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than seventy-two hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the... |
| Article 20 | Communication of Breach to Data Subjects | When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. |
| Article 21 | Data Protection Impact Assessment | Where a type of processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller... |
Chapter 3 — Transfers and Processors
| Article | Title | Description |
|---|---|---|
| Article 22 | International Data Transfers | The State of the Kaharagians, having no physical territory, recognises that all personal data processed within its legal order is inherently stored in foreign jurisdictions. |
| Article 23 | Processor Obligations | Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet... |