Author: András Jóri
I. Preliminary remarks
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Art. 29 of the GDPR emphasizes the need for the processor to act on the instructions of the controller, and it widens the scope of this obligation to any person acting under the authority of the controller or the processor. Such persons might include not only sub-processors, but employees of the controller or the processor.
II. Legislative history
Art. 16 DPD contains a similarly worded provision under the title “Confidentiality of processing”: “Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law”. According to the Comm-P, the above provision of the GDPR is based on Art. 16 DPD. The wording used in the GDPR is almost identical to that appearing in the Comm-P; it was only subject to a minor stylistic change during the law-making process.
III. Analysis
-
The processor (acting under the authority of the controller)
The definitions of the controller and the processor (→ Art. 4 no. 7 and no. 8) clearly determine the role of the latter: it shall process personal data “on behalf of the controller” (→ Art. 4 no. 8 mn. 11 et seq.). Art. 28 of the GDPR sets out detailed requirements for content of the contract or legal act guiding the controller-processor relationship. That contract or legal act shall stipulate (among others) that the processor “processes the personal data only on documented instructions from the controller” (→ Art. 28 mn. 23 et seq.).
In this context, Art. 29 hardly formulates any new obligations for the processor; it only reiterates those set out by Art. 28, with emphasis added on the ban of any other processing activities not based on the instructions from the controller.[1] Engaging in such activities is expressly forbidden: any data processing activity by the processor must derive from instructions from the data controller. As the literature has already emphasized in the context of the DPD, generally the legality of the processing shall not be assessed when applying this provision: activities of the processor shall be in line with the instructions.[2] Note, however, that Art. 28 para. 3 GDPR establishes an obligation of the processor to immediately inform the controller, if its instructions (in the opinion of the processor) infringe the GDPR or Member State data protection law (→ Art. 28 mn. 60 et seq.).[3]
Note that, as in other cases (e.g. consent to various data processing activities, see recital 43), some data processing activities might not appear expressly in those instructions: e.g. the controller’s instruction to have personal data stored by a processor (e.g. a cloud provider) might entail data processing activities the controller is not even aware of (storage of those data temporarily in a backup drive or in multiple locations for safeguarding the proper level of IT security, etc). Where those activities are necessary and inevitable ancillary processing activities for providing the services by the data processor, in our interpretation, they shall still be regarded as carried out “on the instructions of the controller”.
[…]
[1]Indeed, the provision was found redundant by several Member States and the Council during the lawmaking process: see Millard/Kamarinou 2020, p. 614.
[2]Dammann/Simitis 1997, p. 224.
[3]For linkages between Art. 29 and Art. 28 para. 3 GDPR, see: Millard/Kamarinou, ‘Art. 29’ in Kuner/Bygrave/Docksey, 612, pp. 614-615.