Article 29 of the GDPR: Processing under the authority of the controller or processor
Article 29 of the GDPR specifies that anyone acting under authority the data controller or subcontractor cannot process personal data only on his instructions, unless otherwise required by law. This principle aims to guarantee strict control of access to data.
Article 29 of the GDPR explained
Any employee, service provider or party accessing personal data must respect the instructions of the manager or subcontractor. This implies:
- Awareness raising and training of those concerned;
- The establishment of procedures governing authorized processing;
- Measures to trace and control access to data.
Why is this article important for your GDPR compliance?
Strict respect for the authority of the person responsible is essential to avoid unauthorized processing, sources of leaks or abuse. It's about there security and legality processing carried out by members of the organization or its partners.
How to comply with Article 29 of the GDPR?
- Clearly define who can access the data and under what conditions;
- Formalize treatment instructions in internal procedures or guides;
- Train employees on the GDPR and their obligations;
- Use data access authentication and traceability systems.
Examples of application of Article 29 of the GDPR
- An employee only has access to the data necessary for his duties (need to know principle).
- An IT support provider can only consult customer databases as part of a ticket validated by the manager.
- An intern is trained in GDPR guidelines before accessing software containing personal data.
Related Resources
Accelerate your compliance in just a few clicks
With our all-in-one solution, you can accelerate and ensure compliance easily:
- Automate your compliance with our GDPR software
- Supported or outsourced by our DPO experts
- Raise awareness among your teams with our GDPR training e-learning
Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.
