Article 29 GDPR

From GDPRhub
Revision as of 15:31, 23 October 2020 by SR (talk | contribs) (→‎Commentary)
Article 29 - Processing under the authority of the controller or processor
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 29 - Processing under the authority of the controller or processor


The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Relevant Recitals

You can help us fill this section!

Commentary

Overview

Article 29 obliges processors and anyone acting under the authority of the controller or of the processor, who has access to personal data, to only process those data on instructions from the controller, unless required to do otherwise by Union or Member State law.

After deliberations during trilogues between the Council, Parliament, and Commission, the provision was maintained in the final text of the GDPR despite some arguments against its relevance. The provision is aimed at reinforcing the processor’s obligations to only act in line to the controller’s instructions, as well as at clarifying that these obligations extend to any person acting under the authority of the controller or processor.[1]

Commonalities and differences in relation to Article 28(3)(b)

The discussions during the trilogues on the relevance of Article 29 were rooted in the fact that Article 28(3)(b) already seems to cover much of the scope of Article 29. More specifically, Article 28(3)(b) states that the contract between the controller and processor shall stipulate that the processor:

“ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”

While Article 28(3)(b) seems to already lead to the controller being liable for violations carried out by its employees, Article 29 reiterates that despite the increased responsibilities of processors with the GDPR, the instructions of data controllers must ultimately be followed at all stages of the processing.[2] Furthermore, Article 29 explicitly extends the obligations arising from the data processing agreement in Article 28(3)(b) to all persons acting under the authority of the controller and processor.


[1] Millard/Kamarinou (in Kuner), 613.

[2] Ibid 615.

Decisions

→ You can find all related decisions in Category:Article 29 GDPR

References