GDPR Lisianne Marzani January 19, 2018

Waterline’s Handy Dandy Summary of GDPR: Chapter 4 (Part 2 of 2)

Today, we continue a series of blog posts that summarize how each of the GDPR articles may affect your business. These summaries can serve as a handy reference for those who need a quick and easy explanation.

We kicked this series off with Chapter 1. This week, we resume with Chapter 4, Part 2.

CHAPTER 4: Controller and Processor 

With 20 articles divided into five sections, Chapter 4 is the GDPR’s longest chapter. Our summary of this chapter will therefore be broken into two parts and written as concisely as possible.

Article 34: Communication of a personal data breach to the data subject

Article 34 requires organizations to notify users, in clear and plain language, of data breaches that put their “rights and freedoms” at risk. Notification is not required under certain conditions, such as when the data accessed was encrypted.

Article 35: Data protection impact assessment

This requires organizations to conduct a Data Protection Impact Assessment (DPIA) to assess the impact certain processing may have on the rights and freedoms of users. The DPIA must contain four primary components: 1.) a description of the processing process and its purpose, why the process is necessary, how it impacts a user’s data privacy, and how the organization is addressing those risks.

Article 36: Prior consultation

If the DPIA suggests an usually high risk that cannot be reasonably guarded against, article 36 requires the organization to consult the supervisory authority before processing begins. The article further details all the information that must be delivered to the supervisory authority as part of the consultation.

Article 37: Designation of the data protection officer

Here, the GDPR outlines the conditions that, if they exist, require that a data protection officer (DPO) be put in place. These conditions include processing that is carried out by a public authority (except for courts acting in a judicial capacity) or processing by private sector entities that involves systematic monitoring of data subjects on a large scale. Also specified is that the DPO is to be selected on basis of expert understanding of privacy law and practice.

Article 38: Position of the data protection officer

Article 38 outlines what controllers and processors must do to ensure their DPO can carry out the required tasks. This includes establishing the independence of the DPO within the management team, providing all the resources the DPO will need to do his or her job, assuring the DPO that faithfully performing the assigned tasks won’t result in penalty or dismissal, and more.

Article 39: Tasks of the data protection officer

Here GDPR specifies the tasks a DPO must be assigned, such as advising the controller or processor and data processing employees on GDPR requirements, training of staff in privacy practice, monitoring compliance in processing operations, and more.

Article 40: Codes of conduct

Article 40 calls on European Union (EU) Member States, supervisory authorities and other public bodies to encourage associations and other representative bodies of controllers or processors (such as the Cloud Select Industry Group, which represents any organization or person doing business in the European cloud market) to create codes of conduct that assist with “proper application” of GDPR.

These codes of conduct should include guidelines around fair and transparent processing, the pseudonymization of personal data, out-of-court dispute procedures, and so on. The article also requires controllers or processors that transfer personal data to third countries extend their code of conduct safeguards to other data processing partners in contractually binding ways.

Article 41: Monitoring of approved codes of conduct

Here, GDPR addresses the body that should be put in place to monitor compliance with the codes of conduct, listing the conditions that body must satisfy in order to be GDPR-approved.

Article 42: Certification

This calls on Member States, supervisory authorities and other public bodies to establish data protection certification mechanism for demonstration of GDPR compliance. 

Article 43: Certification bodies

This specifies the conditions certification bodies must satisfy in order to be accredited by Member States.

This concludes our summary of GDPR: Chapter 4, Part 2. For the full text of GDPR: Chapter 4, go to:

After you finish reading that article in detail, or perhaps even before, check out how Waterline Data can resolve a key challenge in complying with GDPR by helping you identify and understanding everything you need to know about your data, including origin:

Next: Chapter 5.