← Article 29 - Processing under the authority of the controller or processor →
|
|
Chapter 1: General provisions
Chapter 3: Rights of the data subject
Chapter 4: Controller and processor
Chapter 5: Transfers of personal data
Chapter 6: Supervisory authorities
Chapter 7: Cooperation and consistency
Chapter 8: Remedies, liability and penalties
Chapter 9: Specific processing situations
Chapter 10: Delegated and implementing acts
Chapter 11: Final provisions
|
Legal Text
Article 29 - Processing under the authority of the controller or processor
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Relevant Recitals
Recital 81: Entrusting a Processor
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.
Commentary on Article 29
Article 29 GDPR obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.
Commonalities and Differences in Relation to Article 28(3)(b) GDPR
After deliberations during negotiations between the Council, Parliament and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]
The discussions on the relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically, Article 28(3)(b) GDPR states that the contract between the controller and processor shall stipulate that the processor “ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”.
While Article 28(3)(b) GDPR seems to already lead to the controller being liable for violations carried out by its employees, Article 29 GDPR reiterates that despite the increased responsibilities of processors under the GDPR, the instructions of data controllers must be followed at every stage of the processing.[2] Furthermore, Article 29 GDPR explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) GDPR to all persons acting under the authority of the controller and processor.
Decisions
→ You can find all related decisions in Category:Article 29 GDPR
References
- ↑ Millard/Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 29 GDPR, p. 613 (Oxford University Press 2020).
- ↑ Millard/Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 29 GDPR, p. 615 (Oxford University Press 2020).