GDPR Lisianne Marzani December 22, 2017

Waterline’s Handy Dandy Summary of GDPR: Chapter 4 (Part 1 of 2)

Today, we continue a series of blog posts that summarize how each of the GDPR articles may affect your business. These summaries can serve as a handy reference for those who need a quick and easy explanation.

We kicked this series off with Chapter 1. This week, we resume with Chapter 4. 

CHAPTER 4: Controller and Processor 

With 20 articles divided into five sections, Chapter 4 is the GDPR’s longest chapter. Our summary of this chapter will therefore be broken into two parts and written as concisely as possible.

Article 24: Responsibility of the controller

Article 24 deems the controller responsible for implementing—in a demonstrable way—the “technical and organizational measures” needed to ensure its data processing is GDPR-compliant.

Article 25: Data protection by design and by default

This article requires organizations to bake appropriate measures into the total lifecycle of their products, services, and processes (such as pseudonymization and data minimization) to ensure GDPR compliance. These measures should ensure that data is collected, stored and processed only when necessary and specifically for its designated purpose. An approved certification process, outlined later in Article 42, may be used to demonstrate compliance.

Article 26: Joint controllers

When more than one controller exists, article 26 calls for them to divvy up their GDPR compliance responsibilities in a transparent manner. Some experts have begun looking at this particular article in greater detail as it requires organizations to carefully evaluate any business relationship—e.g. cloud providers—that involves personal data to ensure all GDPR obligations are being met.

Article 27: Representatives of controllers or processors not established in the Union

This is another key provision. If located outside the EU, the controller of EU-regulated data must appoint—and designate in writing—a representative who is “a natural or legal person established in the EU” (as described in Article 4).

Article 28: Processor

This details how the contractual relationships between controllers and proceessors must be constructed to ensure compliance is carried out by the processor on behalf of the controller. The article lists all the points a controller should include in its contracts with processors, including making sure vendors delete or return personal data upon contract termination.

Article 29: Processing under the authority of the controller or processor

Article 29 specifies that a processor can only process data as instructed by the controller unless otherwise required by Union or Member State law.

Article 30: Records of processing activities

This is a big one. The controller and processer must keep detailed records of their data processing, and these records must be provided to the “supervisory authority” (more on this when we get to Article 51) upon request. Whether you’re a controller or processor, Article 30 explains what information must be kept.

Article 31: Cooperation with the supervisory authority

This specifies that the controller and processor must cooperate with the supervisory authority.

Article 32: Security of processing

Here, controllers and processors are required to implement measures that “ensure a level of security appropriate to the risk,” such as pseudonymization, encryption of personal data, and a process for testing the effectiveness of such measures. Article 32 further states that the controller or processor must instill safeguards that prevent people with access to personal data from processing that data unless instructed by the controller, processor or EU/Member State law.

Article 33: Notification of a personal data breach to the supervisory authority

This requires the controller to document and notify the supervisory authority no later than 72 hours after becoming aware of a data breach except for certain conditions related to the rights and freedoms of the data subjects affected. The article further details the information that must be included in this notification.

This concludes our summary of GDPR: Chapter 4, Part 1. For the full text of GDPR: Chapter 4, go to: 

After you finish reading that article in detail, or perhaps even before, check out how Waterline Data can resolve a key challenge in complying with GDPR by helping you identify and understanding everything you need to know about your data, including origin:

Next: Chapter 4, Part 2.