Article 29 GDPR: Difference between revisions
(5 intermediate revisions by 3 users not shown) | |||
Line 185: | Line 185: | ||
==Legal Text== | ==Legal Text== | ||
<br /><center>'''Article 29 - Processing under the authority of the controller or processor'''</center | <br /><center>'''Article 29 - Processing under the authority of the controller or processor'''</center> | ||
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. | The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. | ||
Line 192: | Line 192: | ||
{{Recital/81 GDPR}} | {{Recital/81 GDPR}} | ||
==Commentary | ==Commentary== | ||
Article 29 obliges processors and anyone | Article 29 GDPR obliges processors and anyone with access to personal data that acts under the authority of the controller or processor to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law. | ||
After deliberations during negotiations between the Council, Parliament | ===Commonalities and differences in relation to [[Article 28 GDPR|Article 28(3)(b) GDPR]]=== | ||
After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line with the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 29 GDPR, p. 613 (Oxford University Press 2020).</ref> | |||
The discussions on the relevance of Article 29 GDPR were rooted in the fact that [[Article 28 GDPR|Article 28(3)(b) GDPR]] already seems to cover much of the scope of Article 29 GDPR. More specifically, [[Article 28 GDPR|Article 28(3)(b) GDPR]] states that the contract between the controller and processor shall stipulate that the processor “''ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality''”. | |||
The discussions on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor | |||
While [[Article 28 GDPR|Article 28(3)(b) GDPR]] seems to already designate the controller as liable for violations carried out by its employees, ''Millard'' and ''Kamarinou'' suggest that “''Article 29 GDPR exists to reiterate that, despite the processor’s increased responsibilities under the GDPR, it is ultimately the controller’s instructions which should be followed at every stage of the processing.''”<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 29 GDPR, p. 615 (Oxford University Press 2020).</ref> As such, Article 29 GDPR explicitly extends the obligations arising from the data processing agreement in [[Article 28 GDPR|Article 28(3)(b) GDPR]] to all persons acting under the authority of the controller and processor. | |||
While Article 28(3)(b) seems to already | |||
==Decisions== | ==Decisions== |
Latest revision as of 13:15, 2 June 2023
Legal Text
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Relevant Recitals
Commentary
Article 29 GDPR obliges processors and anyone with access to personal data that acts under the authority of the controller or processor to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.
Commonalities and differences in relation to Article 28(3)(b) GDPR
After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line with the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]
The discussions on the relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically, Article 28(3)(b) GDPR states that the contract between the controller and processor shall stipulate that the processor “ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”.
While Article 28(3)(b) GDPR seems to already designate the controller as liable for violations carried out by its employees, Millard and Kamarinou suggest that “Article 29 GDPR exists to reiterate that, despite the processor’s increased responsibilities under the GDPR, it is ultimately the controller’s instructions which should be followed at every stage of the processing.”[2] As such, Article 29 GDPR explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) GDPR to all persons acting under the authority of the controller and processor.
Decisions
→ You can find all related decisions in Category:Article 29 GDPR
References
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 29 GDPR, p. 613 (Oxford University Press 2020).
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 29 GDPR, p. 615 (Oxford University Press 2020).