Article 29 GDPR
Legal Text
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Relevant Recitals
You can help us fill this section!
Commentary on Article 29
Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.
After deliberations during negotiations between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]
Commonalities and differences in relation to Article 28(3)(b)
The discussions on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:
“ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”
While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors under the GDPR, the instructions of data controllers must be followed at every stage of the processing.[2] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.
[1] Christopher Millard and Dimitra Kamarinou, ‘Article 29. Processing under the authority of the controller or processor’ in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds.), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press), 613.
[2] Ibid 615.
Decisions
→ You can find all related decisions in Category:Article 29 GDPR