Processing under the authority of the controller or processor
There is no recital in the Regulation related to article 29.
There is no recital in the Directive related to article 29.
Article 29 of the new Regulation now states that any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Article 16 of the Directive established the fundamental principle of confidentiality with respect to the personal data protection: any activity dealing with personal data processing can be performed only on the instruction of the controller.
This requirement also applies to any person who has access to the personal data, whether this access is made by a person acting under the authority of the controller or the processor as well as to the processor him/herself.
This provision poses difficulty if no direct link exists between the data subject and the controller - the latter not being organized contractually or otherwise - if the data subject concerned - such as an employee – works under the authority of a processor or a secondary processor. Doubtless, there will be a need to interpret it in this sense that it comes to the instructions received from the processor himself that he or she must transfer to his or her secondary processor. Let’s recall that the latter is responsible for the actions of its indirect processors and that logically, each of them is responsible for the people working under his or her authority.
This provision also seems to largely duplicate Article 32 (4) of the Regulation which reiterates its contents as a variation of the security obligation.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
1st proposal close
1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:
(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
(c) take all required measures pursuant to Article 30;
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
2nd proposal close
1. (...). The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (...) in such a way that the processing will meet the requirements of th is Regulation (...).
1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.
2. The carrying out of processing by a processor shall be governed by a contract or a legal act under Union or Member State law binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the rights of the controller (...) and stipulating, in particular that the processor shall:
(a) process the personal data only on instructions from the controller (...), unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing the data, unless that law prohibits such information on important grounds of public interest;
(c) take all (...) measures required pursuant to Article 30;
(d) respect the conditions for enlisting another processor (...), such as a requirement of specific prior permission of the controller;
(e) (...) taking into account the nature of the processing, assist the controller in responding to requests for exercising the data subject’s rights laid down in Chapter III;
(f) (...) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) return or delete, at the choice of the controller, the personal data upon the termination of the provision of data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject;
(h) make available to the controller (...) all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits conducted by the controller. The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.
2a. Where a processor enlists (...) another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the cont roller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and or ganisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.
2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a.
2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2).
2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.
3. The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
Article 11.- Communication of data.- Organic Law 15/1999 on the Protection of Personal Data.-
1. Personal data subjected to processing may be communicated to third persons only for purposes directly related to the legitimate functions of the transferor and transferee with the prior consent of the data subject.
2. The consent required under the previous paragraph shall not be required:
a) when the transfer is authorised by a law.
b) when the data have been collected from publicly accessible sources.
c) when the processing corresponds to the free and legitimate acceptance of a legal relationship whose course, performance and monitoring necessarily involve the connection between such processing and files of third parties. In that case, communication shall be legitimate to the extent of the purpose justifying it.
d) when the communication to be effected is destined for the Ombudsman, the Office of Public Prosecutor, judges, courts or the Court of Auditors in the exercise of the functions assigned to them. Not shall consent be required when the communication is destined to regional government authorities with functions analogous to the Ombudsman or the Court of Auditors.
e) when the transfer is between public administrations and concerns the retrospective processing of the data for historical, statistical or scientific purposes.
f) when the transfer of personal data on health is necessary for resolving an emergency which requires access to a file or for conducting epidemiological studies within the meaning of central or regional government health legislation.
3. Consent for the communication of personal data to a third party shall be null and void when the information given to the data subject does not enable him to know the purpose for which the data whose communications is authorised will be used or the type of activity of the person to whom it is intended to communicate them.
4. Consent for the communication of personal data may also be revoked.
5. The person to who personal data are communicated is obliged, by the mere fact of the communication, to abide by the provisions of this Law.
6. If the communication is preceded by a depersonalisation procedure, the provisions of the preceding paragraphs shall not apply.
Article 12.- Access to data on behalf of third parties .- Organic Law 15/1999 on the Protection of Personal Data.-
1. Access to data by a third party shall not be considered communication of data when such access is necessary for the provision of a service to the data controller.
2. Processing on behalf of third parties shall be regulated in a contract which must be in writing or in any other form which allows its performance and content to be assessed, it being expressly laid down that the processor shall process the data only in accordance with the instructions of the controller, shall not apply or use them for a purpose other than that set out in the said contract, and shall not communicate them to other persons even for their preservation.
The contract shall also set out the security measures referred to in Article 9 of this Law, which the processor is obliged to implement.
3. Once the contractual service has been provided, the personal data must be destroyed or returned to the controller, together with any support or documents contain personal data processed.
4. If the processor uses the data for another purpose, communicates them or uses them in a way not in accordance with the terms of the contract, he shall also be considered as the controller and shall be personally responsible for the infringements committed by him.
Article 20.- Relations between the Data Controlles and Data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. Access to data by a data processor that is necessary for the provision of a service to the data controller shall not be considered comnunication of data, as long as there is compliance with the provisions of Organic Law 15/1999, of 13 December and those contained in this Chapter.
The service provided by the data processor may or may not be remunerated and may be temporary or permanent.
The aforesaid notwithstanding, data communication shall be considered to exist when the purpose of the access is to establish a new relationship between whoever accesses the data and the data subject.
2. When the data controller engages the provision of a service entailing processing of personal data subject to the provisions of this Chapter, he shall ensure that the data processor complies with all the guarantees for compliance with that provided herein.
3. Should the data processor use the data for another purpose, disclose or use them in breach of the stipulations of the contract to which Article 12(2) of Organic Law 15/1999, of 13 December, refers, he shall also be considered the data controller, answering for the breaches he has personally caused.
The aforesaid notwithstanding, the data processor shall not be liable when, following the express indication of the data controller, he discloses the data to a third party designated by the data controller, to whom he has commissioned the provision of a service pursuant to the provisions of this Chapter.
Article 21.- Possibility of Subcontracting Services. Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. The data processor may not subcontract to a third party any processing commissioned to him by the data controller, unless he has received authorisation to do so. In that case, the contracting shall always be done in the name and on behalf of the data controller.
2. Notwithstanding the previous subsection, subcontracting shall be possible without the need for authorisation whenever the following requirements are met:
a) The contract specifies what services may be subject to subcontracting and, where possible, the company to which they shall be subcontracted.
When the subcontracted company is not identified in the contract, the data processor shall inform the data controller of its identifying data before proceeding with the subcontracting.
b) The processing of the personal data by the subcontractor follows the instructions of the data controller.
c) The data processor and the subcontracted company formalise the contract, under the terms provided in the previous Article.
In that case, the subcontractor shall be deemed the data processor, the provisions of Article 20.3 hereof being applicable to him.
3. If during the provision of the service it is necessary to subcontract a part of it and these circumstances have no provision in the contract, the points set out in the previous subsection shall be submitted to the data controller.
Article 22.- Storage of data by the data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. Once the contractual provision has been fulfilled, the personal data shall be destroyed or returned to the data controller or his designated data processor, together with any medium or document recording any personal data subject to processing.
The data shall not be destroyed when there is a legal provision requiring their storage, in which case they shall be returned and the data controller shall guarantee their storage.
2. The data processor shall store the data, duly blocked, whilst any liability may arise from the relations with the data controller.