- Section 1 – General obligations
- Article 24 – Responsibility of the controller
- Article 25 – Data protection by design and by default
- Article 26 – Joint controllers
- Article 27 – Representatives of controllers or processors not established in the Union
- Article 28 – Processor
- Article 29 – Processing under the authority of the controller or processor
- Article 30 – Records of processing activities
- Article 31 – Cooperation with the supervisory authority
- Section 2 – Security of personal data
- Section 3 – Data protection impact assessment and prior consultation
- Section 4 – Data protection officer
- Section 5 – Codes of conduct and certification