Title III — Obligations of Controllers and Processors
This title sets out the obligations imposed on data controllers and processors.
Chapter 1 — General Obligations
| Article | Title | Description |
|---|---|---|
| Art. 15 | Responsibility of the Controller | The controller shall implement appropriate technical and organisational measures to ensure that processing is performed in accordance with this Code and shall be able to demonstrate such compliance. |
| Art. 16 | Data Protection by Design and by Default | Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the... |
| Art. 17 | Records of Processing Activities | Each controller shall maintain a record of processing activities under its responsibility. That record shall contain the following information:. |
| Art. 18 | Security of Processing | Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller... |
Chapter 2 — Data Breach and Impact Assessment
| Article | Title | Description |
|---|---|---|
| Art. 19 | Notification of Personal Data Breach | In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than seventy-two hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the... |
| Art. 20 | Communication of Breach to Data Subjects | When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. |
| Art. 21 | Data Protection Impact Assessment | Where a type of processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller... |
Chapter 3 — Transfers and Processors
| Article | Title | Description |
|---|---|---|
| Art. 22 | International Data Transfers | The State of the Kaharagians, having no physical territory, recognises that all personal data processed within its legal order is inherently stored in foreign jurisdictions. |
| Art. 23 | Processor Obligations | Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet... |