Rephrase statement 1:

The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf. These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform. Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.

• Give an example.

Rephrase statement 2:

You may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses' use and disclosure of your sensitive personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.