CHAPTER 4 Controller and processor Section 1 - General obligations Article 24 - Responsibility of the controller Article 25 - Data protection by design and by default Article 26 - Joint controllers Article 27 - Representatives of controllers or processors not established in the Union Article 28 - Processor Article 29 - Processing under the authority of the controller or processor Article 30 - Records of processing activities Article 31 - Cooperation with the supervisory authority Section 2 - Security of personal data Article 32 - Security of processing Article 33 - Notification of a personal data breach to the supervisory authority Article 34 - Communication of a personal data breach to the data subject Section 3 - Data protection impact assessment and prior consultation Article 35 - Data protection impact assessment Article 36 - Prior consultation Section 4 - Data protection officer Article 37 - Designation of the data protection officer Article 38 - Position of the data protection officer Article 39 - Tasks of the data protection officer Section 5 - Codes of conduct and certification Article 40 - Codes of conduct Article 41 - Monitoring of approved codes of conduct Article 42 - Certification Article 43 - Certification bodies Article 23 Section 1