Article 29
Processing under the authority of the controller or processor

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation

There is no recital in the Regulation related to article 29.

There is no recital in the Directive related to article 29.

The GDPR

Article 29 of the new Regulation now states that any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

The Directive

Article 16 of the Directive established the fundamental principle of confidentiality with respect to the personal data protection: any activity dealing with personal data processing can be performed only on the instruction of the controller.

This requirement also applies to any person who has access to the personal data, whether this access is made by a person acting under the authority of the controller or the processor as well as to the processor him/herself.

Potential issues

This provision poses difficulty if no direct link exists between the data subject and the controller - the latter not being organized contractually or otherwise - if the data subject concerned - such as an employee – works under the authority of a processor or a secondary processor. Doubtless, there will be a need to interpret it in this sense that it comes to the instructions received from the processor himself that he or she must transfer to his or her secondary processor. Let’s recall that the latter is responsible for the actions of its indirect processors and that logically, each of them is responsible for the people working under his or her authority.

This provision also seems to largely duplicate Article 32 (4) of the Regulation which reiterates its contents as a variation of the security obligation.

Regulation
1e 2e

Art. 29

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

1st proposal close

Art. 26

1.           Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

2.           The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:

(a)     act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;

(b)     employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;

(c)     take all required measures pursuant to Article 30;

(d)     enlist another processor only with the prior permission of the controller;

(e)     insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f)      assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;

(g)     hand over all results to the controller after the end of the processing and not process the personal data otherwise;

(h)     make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.

3.           The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.

4.           If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.

5.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.

2nd proposal close

Art. 26

1. (...). The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (...) in such a way that the processing will meet the requirements of th is Regulation (...).

1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.

1b. (...)

2. The carrying out of processing by a processor shall be governed by a contract or a legal act under Union or Member State law binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the rights of the controller (...) and stipulating, in particular that the processor shall:

(a) process the personal data only on instructions from the controller (...), unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing the data, unless that law prohibits such information on important grounds of public interest;

(b) (...)

(c) take all (...) measures required pursuant to Article 30;

(d) respect the conditions for enlisting another processor (...), such as a requirement of specific prior permission of the controller;

(e) (...) taking into account the nature of the processing, assist the controller in responding to requests for exercising the data subject’s rights laid down in Chapter III;

(f) (...) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;

(g) return or delete, at the choice of the controller, the personal data upon the termination of the provision of data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject;

(h) make available to the controller (...) all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits conducted by the controller. The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.

2a. Where a processor enlists (...) another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the cont roller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and or ganisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.

2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a.

2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2).

2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.

3. The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.

4. (...)

5. (...)

 

Directive close

Art. 17

(…)

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:

- the processor shall act only on instructions from the controller,

- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.

41. - (1)  Individuals, companies etc. performing work for the controller or the processor and who have access to data may process these only on instructions from the controller unless otherwise provided by law or regulations.

(2) The instruction mentioned in subsection (1) may not restrict journalistic freedom or impede the production of an artistic or literary product.

(3) The controller shall implement appropriate technical and organizational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in this Act. The same shall apply to processors.

(4) As regards data which are processed for the public administration and which are of special interest to foreign powers, measures shall be taken to ensure that they can be disposed of or destroyed in the event of war or similar conditions.

(5) The Minister of Justice may lay down more detailed rules concerning the security measures mentioned in subsection (3).

close