Article 29 GDPR: Difference between revisions
Line 196: | Line 196: | ||
===Commonalities and Differences in Relation to [[Article 28 GDPR|Article 28(3)(b) GDPR]]=== | ===Commonalities and Differences in Relation to [[Article 28 GDPR|Article 28(3)(b) GDPR]]=== | ||
After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor. | After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.<ref>''Millard/Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 29 GDPR, p. 613 (Oxford University Press 2020).</ref> | ||
The discussions on the relevance of Article 29 GDPR were rooted in the fact that [[Article 28 GDPR|Article 28(3)(b) GDPR]] already seems to cover much of the scope of Article 29 GDPR. More specifically, [[Article 28 GDPR|Article 28(3)(b) GDPR]] states that the contract between the controller and processor shall stipulate that the processor “ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”. | The discussions on the relevance of Article 29 GDPR were rooted in the fact that [[Article 28 GDPR|Article 28(3)(b) GDPR]] already seems to cover much of the scope of Article 29 GDPR. More specifically, [[Article 28 GDPR|Article 28(3)(b) GDPR]] states that the contract between the controller and processor shall stipulate that the processor “ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”. | ||
While [[Article 28 GDPR|Article 28(3)(b) GDPR]] seems to already lead to the controller being liable for violations carried out by its employees, Article 29 GDPR reiterates that despite the increased responsibilities of processors under the GDPR, the instructions of data controllers must be followed at every stage of the processing. | While [[Article 28 GDPR|Article 28(3)(b) GDPR]] seems to already lead to the controller being liable for violations carried out by its employees, Article 29 GDPR reiterates that despite the increased responsibilities of processors under the GDPR, the instructions of data controllers must be followed at every stage of the processing.<ref>''Millard/Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 29 GDPR, p. 615 (Oxford University Press 2020).</ref> Furthermore, Article 29 GDPR explicitly extends the obligations arising from the data processing agreement in [[Article 28 GDPR|Article 28(3)(b) GDPR]] to all persons acting under the authority of the controller and processor. | ||
==Decisions== | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 29 GDPR]] | → You can find all related decisions in [[:Category:Article 29 GDPR]] |
Revision as of 17:43, 16 August 2021
Legal Text
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Relevant Recitals
Commentary on Article 29
Article 29 GDPR obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.
Commonalities and Differences in Relation to Article 28(3)(b) GDPR
After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]
The discussions on the relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically, Article 28(3)(b) GDPR states that the contract between the controller and processor shall stipulate that the processor “ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”.
While Article 28(3)(b) GDPR seems to already lead to the controller being liable for violations carried out by its employees, Article 29 GDPR reiterates that despite the increased responsibilities of processors under the GDPR, the instructions of data controllers must be followed at every stage of the processing.[2] Furthermore, Article 29 GDPR explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) GDPR to all persons acting under the authority of the controller and processor.
Decisions
→ You can find all related decisions in Category:Article 29 GDPR