Article 29
Processing under the authority of the controller or processor
There is no recital in the Regulation related to article 29.
There is no recital in the Directive related to article 29.
Regulation
Art. 29 The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. |
Directive
Art. 17 (…) 2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. 3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. 4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form. |
Spain
Article 11.- Communication of data.- Organic Law 15/1999 on the Protection of Personal Data.- 1. Personal data subjected to processing may be communicated to third persons only for purposes directly related to the legitimate functions of the transferor and transferee with the prior consent of the data subject. 2. The consent required under the previous paragraph shall not be required: a) when the transfer is authorised by a law. b) when the data have been collected from publicly accessible sources. c) when the processing corresponds to the free and legitimate acceptance of a legal relationship whose course, performance and monitoring necessarily involve the connection between such processing and files of third parties. In that case, communication shall be legitimate to the extent of the purpose justifying it. d) when the communication to be effected is destined for the Ombudsman, the Office of Public Prosecutor, judges, courts or the Court of Auditors in the exercise of the functions assigned to them. Not shall consent be required when the communication is destined to regional government authorities with functions analogous to the Ombudsman or the Court of Auditors. e) when the transfer is between public administrations and concerns the retrospective processing of the data for historical, statistical or scientific purposes. f) when the transfer of personal data on health is necessary for resolving an emergency which requires access to a file or for conducting epidemiological studies within the meaning of central or regional government health legislation. 3. Consent for the communication of personal data to a third party shall be null and void when the information given to the data subject does not enable him to know the purpose for which the data whose communications is authorised will be used or the type of activity of the person to whom it is intended to communicate them. 4. Consent for the communication of personal data may also be revoked. 5. The person to who personal data are communicated is obliged, by the mere fact of the communication, to abide by the provisions of this Law. 6. If the communication is preceded by a depersonalisation procedure, the provisions of the preceding paragraphs shall not apply. Article 12.- Access to data on behalf of third parties .- Organic Law 15/1999 on the Protection of Personal Data.- 1. Access to data by a third party shall not be considered communication of data when such access is necessary for the provision of a service to the data controller. 2. Processing on behalf of third parties shall be regulated in a contract which must be in writing or in any other form which allows its performance and content to be assessed, it being expressly laid down that the processor shall process the data only in accordance with the instructions of the controller, shall not apply or use them for a purpose other than that set out in the said contract, and shall not communicate them to other persons even for their preservation. The contract shall also set out the security measures referred to in Article 9 of this Law, which the processor is obliged to implement. 3. Once the contractual service has been provided, the personal data must be destroyed or returned to the controller, together with any support or documents contain personal data processed. 4. If the processor uses the data for another purpose, communicates them or uses them in a way not in accordance with the terms of the contract, he shall also be considered as the controller and shall be personally responsible for the infringements committed by him.
Article 20.- Relations between the Data Controlles and Data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.- 1. Access to data by a data processor that is necessary for the provision of a service to the data controller shall not be considered comnunication of data, as long as there is compliance with the provisions of Organic Law 15/1999, of 13 December and those contained in this Chapter. The service provided by the data processor may or may not be remunerated and may be temporary or permanent. The aforesaid notwithstanding, data communication shall be considered to exist when the purpose of the access is to establish a new relationship between whoever accesses the data and the data subject. 2. When the data controller engages the provision of a service entailing processing of personal data subject to the provisions of this Chapter, he shall ensure that the data processor complies with all the guarantees for compliance with that provided herein. 3. Should the data processor use the data for another purpose, disclose or use them in breach of the stipulations of the contract to which Article 12(2) of Organic Law 15/1999, of 13 December, refers, he shall also be considered the data controller, answering for the breaches he has personally caused. The aforesaid notwithstanding, the data processor shall not be liable when, following the express indication of the data controller, he discloses the data to a third party designated by the data controller, to whom he has commissioned the provision of a service pursuant to the provisions of this Chapter.
Article 21.- Possibility of Subcontracting Services. Royal Decree 1720/2007 Implementing Organic Law 15/1999.- 1. The data processor may not subcontract to a third party any processing commissioned to him by the data controller, unless he has received authorisation to do so. In that case, the contracting shall always be done in the name and on behalf of the data controller. 2. Notwithstanding the previous subsection, subcontracting shall be possible without the need for authorisation whenever the following requirements are met: a) The contract specifies what services may be subject to subcontracting and, where possible, the company to which they shall be subcontracted. When the subcontracted company is not identified in the contract, the data processor shall inform the data controller of its identifying data before proceeding with the subcontracting. b) The processing of the personal data by the subcontractor follows the instructions of the data controller. c) The data processor and the subcontracted company formalise the contract, under the terms provided in the previous Article. In that case, the subcontractor shall be deemed the data processor, the provisions of Article 20.3 hereof being applicable to him. 3. If during the provision of the service it is necessary to subcontract a part of it and these circumstances have no provision in the contract, the points set out in the previous subsection shall be submitted to the data controller.
Article 22.- Storage of data by the data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.- 1. Once the contractual provision has been fulfilled, the personal data shall be destroyed or returned to the data controller or his designated data processor, together with any medium or document recording any personal data subject to processing. The data shall not be destroyed when there is a legal provision requiring their storage, in which case they shall be returned and the data controller shall guarantee their storage. 2. The data processor shall store the data, duly blocked, whilst any liability may arise from the relations with the data controller. |