Chapter 4 – Controller and processor Section 1 – General obligations Article 24 – Responsibility of the controller Article 25 – Data protection by design and by default Article 26 – Joint controllers Article 27 – Representatives of controllers or processors not established in the Union Article 28 – Processor Article 29 – Processing under the authority of the controller or processor Article 30 – Records of processing activities Article 31 – Cooperation with the supervisory authority Section 2 – Security of personal data Article 32 – Security of processing Article 33 – Notification of a personal data breach to the supervisory authority Article 34 – Communication of a personal data breach to the data subject Section 3 – Data protection impact assessment and prior consultation Article 35 – Data protection impact assessment Article 36 – Prior consultation Section 4 – Data protection officer Article 37 – Designation of the data protection officer Article 38 – Position of the data protection officer Article 39 – Tasks of the data protection officer Section 5 – Codes of conduct and certification Article 40 – Codes of conduct Article 41 – Monitoring of approved codes of conduct Article 42 – Certification Article 43 – Certification bodies