Processing under the authority of the controller or processor
There is no recital in the Regulation related to article 29.
There is no recital in the Directive related to article 29.
Article 29 of the new Regulation now states that any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Article 16 of the Directive established the fundamental principle of confidentiality with respect to the personal data protection: any activity dealing with personal data processing can be performed only on the instruction of the controller.
This requirement also applies to any person who has access to the personal data, whether this access is made by a person acting under the authority of the controller or the processor as well as to the processor him/herself.
This provision poses difficulty if no direct link exists between the data subject and the controller - the latter not being organized contractually or otherwise - if the data subject concerned - such as an employee – works under the authority of a processor or a secondary processor. Doubtless, there will be a need to interpret it in this sense that it comes to the instructions received from the processor himself that he or she must transfer to his or her secondary processor. Let’s recall that the latter is responsible for the actions of its indirect processors and that logically, each of them is responsible for the people working under his or her authority.
This provision also seems to largely duplicate Article 32 (4) of the Regulation which reiterates its contents as a variation of the security obligation.
European data protection board (EDPB)
Guidelines 07/2020 on the concepts of controller and processor in the GDPR (2 September 2020)
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.
In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller. A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances. A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has accessto the data that is being processed to be qualified as a controller.
The qualification as joint controllers may arise where more than one actor is involved in the processing. The GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.
A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf. The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.
Relationship between controller and processor
A controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Elements to be taken into account could be the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources and the processor’s adherence to an approved code of conduct or certification mechanism. Any processing of personal data by a processor must be governed by a contract or other legal act which shall be in writing, including in electronic form, and be binding. The controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses. The GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.
Relationship among joint controllers
Joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the GDPR. The determination of their respective responsibilities must in particular regard the exercise of data subjects’ rights and the duties to provide information. In addition to this, the distribution of responsibilities should cover other controller obligations such as regarding the general data protection principles, legal basis, security measures, data breach notification obligation, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities. Each joint controller has the duty to ensure that they have a legal basis for the processing and that the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data. The legal form of the arrangement among joint controllers is not specified by the GDPR. For the sake of legal certainty, and in order to provide for transparency and accountability, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject. The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à- vis the data subjects and the essence of the arrangement shall be made available to the data subject. Irrespective of the terms of the arrangement, data subjects may exercise their rights in respect of and against each of the joint controllers. Supervisory authorities are not bound by the terms of the arrangement whether on the issue of the qualification of the parties as joint controllers or the designated contact point.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
1st proposal close
1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:
(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
(c) take all required measures pursuant to Article 30;
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
2nd proposal close
1. (...). The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (...) in such a way that the processing will meet the requirements of th is Regulation (...).
1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.
2. The carrying out of processing by a processor shall be governed by a contract or a legal act under Union or Member State law binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the rights of the controller (...) and stipulating, in particular that the processor shall:
(a) process the personal data only on instructions from the controller (...), unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing the data, unless that law prohibits such information on important grounds of public interest;
(c) take all (...) measures required pursuant to Article 30;
(d) respect the conditions for enlisting another processor (...), such as a requirement of specific prior permission of the controller;
(e) (...) taking into account the nature of the processing, assist the controller in responding to requests for exercising the data subject’s rights laid down in Chapter III;
(f) (...) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) return or delete, at the choice of the controller, the personal data upon the termination of the provision of data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject;
(h) make available to the controller (...) all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits conducted by the controller. The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.
2a. Where a processor enlists (...) another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the cont roller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and or ganisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.
2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a.
2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2).
2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.
3. The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
Article 11.- Communication of data.- Organic Law 15/1999 on the Protection of Personal Data.-
1. Personal data subjected to processing may be communicated to third persons only for purposes directly related to the legitimate functions of the transferor and transferee with the prior consent of the data subject.
2. The consent required under the previous paragraph shall not be required:
a) when the transfer is authorised by a law.
b) when the data have been collected from publicly accessible sources.
c) when the processing corresponds to the free and legitimate acceptance of a legal relationship whose course, performance and monitoring necessarily involve the connection between such processing and files of third parties. In that case, communication shall be legitimate to the extent of the purpose justifying it.
d) when the communication to be effected is destined for the Ombudsman, the Office of Public Prosecutor, judges, courts or the Court of Auditors in the exercise of the functions assigned to them. Not shall consent be required when the communication is destined to regional government authorities with functions analogous to the Ombudsman or the Court of Auditors.
e) when the transfer is between public administrations and concerns the retrospective processing of the data for historical, statistical or scientific purposes.
f) when the transfer of personal data on health is necessary for resolving an emergency which requires access to a file or for conducting epidemiological studies within the meaning of central or regional government health legislation.
3. Consent for the communication of personal data to a third party shall be null and void when the information given to the data subject does not enable him to know the purpose for which the data whose communications is authorised will be used or the type of activity of the person to whom it is intended to communicate them.
4. Consent for the communication of personal data may also be revoked.
5. The person to who personal data are communicated is obliged, by the mere fact of the communication, to abide by the provisions of this Law.
6. If the communication is preceded by a depersonalisation procedure, the provisions of the preceding paragraphs shall not apply.
Article 12.- Access to data on behalf of third parties .- Organic Law 15/1999 on the Protection of Personal Data.-
1. Access to data by a third party shall not be considered communication of data when such access is necessary for the provision of a service to the data controller.
2. Processing on behalf of third parties shall be regulated in a contract which must be in writing or in any other form which allows its performance and content to be assessed, it being expressly laid down that the processor shall process the data only in accordance with the instructions of the controller, shall not apply or use them for a purpose other than that set out in the said contract, and shall not communicate them to other persons even for their preservation.
The contract shall also set out the security measures referred to in Article 9 of this Law, which the processor is obliged to implement.
3. Once the contractual service has been provided, the personal data must be destroyed or returned to the controller, together with any support or documents contain personal data processed.
4. If the processor uses the data for another purpose, communicates them or uses them in a way not in accordance with the terms of the contract, he shall also be considered as the controller and shall be personally responsible for the infringements committed by him.
Article 20.- Relations between the Data Controlles and Data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. Access to data by a data processor that is necessary for the provision of a service to the data controller shall not be considered comnunication of data, as long as there is compliance with the provisions of Organic Law 15/1999, of 13 December and those contained in this Chapter.
The service provided by the data processor may or may not be remunerated and may be temporary or permanent.
The aforesaid notwithstanding, data communication shall be considered to exist when the purpose of the access is to establish a new relationship between whoever accesses the data and the data subject.
2. When the data controller engages the provision of a service entailing processing of personal data subject to the provisions of this Chapter, he shall ensure that the data processor complies with all the guarantees for compliance with that provided herein.
3. Should the data processor use the data for another purpose, disclose or use them in breach of the stipulations of the contract to which Article 12(2) of Organic Law 15/1999, of 13 December, refers, he shall also be considered the data controller, answering for the breaches he has personally caused.
The aforesaid notwithstanding, the data processor shall not be liable when, following the express indication of the data controller, he discloses the data to a third party designated by the data controller, to whom he has commissioned the provision of a service pursuant to the provisions of this Chapter.
Article 21.- Possibility of Subcontracting Services. Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. The data processor may not subcontract to a third party any processing commissioned to him by the data controller, unless he has received authorisation to do so. In that case, the contracting shall always be done in the name and on behalf of the data controller.
2. Notwithstanding the previous subsection, subcontracting shall be possible without the need for authorisation whenever the following requirements are met:
a) The contract specifies what services may be subject to subcontracting and, where possible, the company to which they shall be subcontracted.
When the subcontracted company is not identified in the contract, the data processor shall inform the data controller of its identifying data before proceeding with the subcontracting.
b) The processing of the personal data by the subcontractor follows the instructions of the data controller.
c) The data processor and the subcontracted company formalise the contract, under the terms provided in the previous Article.
In that case, the subcontractor shall be deemed the data processor, the provisions of Article 20.3 hereof being applicable to him.
3. If during the provision of the service it is necessary to subcontract a part of it and these circumstances have no provision in the contract, the points set out in the previous subsection shall be submitted to the data controller.
Article 22.- Storage of data by the data Processor.- Royal Decree 1720/2007 Implementing Organic Law 15/1999.-
1. Once the contractual provision has been fulfilled, the personal data shall be destroyed or returned to the data controller or his designated data processor, together with any medium or document recording any personal data subject to processing.
The data shall not be destroyed when there is a legal provision requiring their storage, in which case they shall be returned and the data controller shall guarantee their storage.
2. The data processor shall store the data, duly blocked, whilst any liability may arise from the relations with the data controller.