Article 29 GDPR: Difference between revisions
No edit summary |
|||
Line 2: | Line 2: | ||
![[Article 28 GDPR|←]] Article 29 - Processing under the authority of the controller or processor [[Article 30 GDPR|→]] | ![[Article 28 GDPR|←]] Article 29 - Processing under the authority of the controller or processor [[Article 30 GDPR|→]] | ||
|- | |- | ||
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | | style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | ||
|- | |- | ||
| | | | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 17: | Line 17: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 31: | Line 31: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 50: | Line 50: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible | <div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 77: | Line 77: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 91: | Line 91: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 107: | Line 107: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 131: | Line 131: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 146: | Line 146: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 160: | Line 160: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 169: | Line 169: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 184: | Line 184: | ||
|} | |} | ||
== Legal Text == | ==Legal Text== | ||
<br /><center>'''Article 29 - Processing under the authority of the controller or processor'''</center><br /> | <br /><center>'''Article 29 - Processing under the authority of the controller or processor'''</center><br /> | ||
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. | The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. | ||
== Relevant Recitals== | ==Relevant Recitals== | ||
''You can help us fill this section!'' | ''You can help us fill this section!'' | ||
== Commentary == | ==Commentary== | ||
=== Overview === | |||
Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law. | |||
After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[[Article 29 GDPR#%20ftn1|[1]]] | |||
=== Commonalities and differences in relation to Article 28(3)(b) === | |||
The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor: | |||
“ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality” | |||
While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[[Article 29 GDPR#%20ftn2|[2]]] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor. | |||
----[[Article 29 GDPR#%20ftnref1|[1]]] Millard/Kamarinou (in Kuner), 613. | |||
[[Article 29 GDPR#%20ftnref2|[2]]] Ibid 615. | |||
== Decisions == | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 29 GDPR]] | → You can find all related decisions in [[:Category:Article 29 GDPR]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:GDPR Articles]] | [[Category:GDPR Articles]] |
Revision as of 15:31, 23 October 2020
Legal Text
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Relevant Recitals
You can help us fill this section!
Commentary
Overview
Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.
After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]
Commonalities and differences in relation to Article 28(3)(b)
The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:
“ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”
While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[2] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.
[1] Millard/Kamarinou (in Kuner), 613.
[2] Ibid 615.
Decisions
→ You can find all related decisions in Category:Article 29 GDPR