Article 29 GDPR: Difference between revisions

From GDPRhub
mNo edit summary
Line 194: Line 194:
==Commentary==
==Commentary==


=== Overview ===
===Overview===
Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.  
Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.  


After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[[Article 29 GDPR#%20ftn1|[1]]]
After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[[Article 29 GDPR#%20ftn1|[1]]]


=== Commonalities and differences in relation to Article 28(3)(b) ===
===Commonalities and differences in relation to Article 28(3)(b)===
The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:
The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:


Line 205: Line 205:


While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[[Article 29 GDPR#%20ftn2|[2]]] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.
While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[[Article 29 GDPR#%20ftn2|[2]]] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.
----[[Article 29 GDPR#%20ftnref1|[1]]] Millard/Kamarinou (in Kuner), 613.
----[[Article 29 GDPR#%20ftnref1|[1]]] Christopher Millard and Dimitra Kamarinou, ‘Article 29. Processing under the authority of the controller or processor’ in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds.), ''The EU General Data Protection Regulation (GDPR) – A Commentary'' (Oxford University Press), 613.


[[Article 29 GDPR#%20ftnref2|[2]]] Ibid 615.
[[Article 29 GDPR#%20ftnref2|[2]]] Ibid 615.

Revision as of 16:06, 6 November 2020

Article 29 - Processing under the authority of the controller or processor
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 29 - Processing under the authority of the controller or processor


The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Relevant Recitals

You can help us fill this section!

Commentary

Overview

Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.

After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]

Commonalities and differences in relation to Article 28(3)(b)

The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:

“ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”

While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[2] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.


[1] Christopher Millard and Dimitra Kamarinou, ‘Article 29. Processing under the authority of the controller or processor’ in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds.), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press), 613.

[2] Ibid 615.

Decisions

→ You can find all related decisions in Category:Article 29 GDPR

References