Processing under the authority of the controller or processor

Article 29 establishes a clear chain of authority for data processing activities.

Understanding Article 29 with Examples

We can break this down with examples:

Example 1: Marketing Agency Scenario

• Controller: A retail company that collects customer email addresses

• Processor: A marketing agency hired to send promotional emails

• People under authority: The marketing agency's employees

Under Article 29, the marketing agency employees can only use those email addresses according to the retail company's instructions. They cannot:

• Send emails about unrelated products

• Use the data for their own marketing research

• Share the email list with other clients

Example 2: Cloud Storage Provider

• Controller: A healthcare provider storing patient records

• Processor: A cloud storage company hosting the data

• People under authority: IT staff at the cloud company

The cloud provider's IT staff cannot:

• Data mine patient records for research purposes

• Access records beyond what's needed for maintenance

• Make backup copies outside of the controller's instructions

Example 3: Internal Processing

• Controller: A bank

• People under authority: The bank's own employees

Bank employees who can access customer financial data cannot:

• Look up celebrity accounts out of curiosity

• Use customer data for personal purposes

• Process data in ways not authorized by bank policy

Practical Compliance Measures

To comply with Article 29, organizations should implement:

For Controllers:

1. Clear Written Instructions: Document precisely what processors can and cannot do with personal data.

2. Detailed Data Processing Agreements: Establish contracts with processors that specifically outline permissible processing activities.

3. Regular Audits: Verify processors are following instructions.

4. Staff Training: Ensure internal staff understand their limitations in data processing.

5. Access Controls: Implement technical measures that prevent unauthorized processing.

For Processors:

1. Processing Registers: Document all data handling to prove compliance with controller instructions.

2. Staff Training: Ensure all employees understand they can only process data as instructed.

3. Technical Safeguards: Implement systems that prevent processing outside defined parameters.

4. Subprocessor Management: Ensure any subprocessors are bound by the same restrictions.

5. Breach Notification Protocols: Implement procedures to promptly inform controllers of any deviations.

For Employees:

1. Confidentiality Agreements: Sign contracts that explicitly mention data processing limitations.

2. Clear Job Descriptions: Define permissible data processing activities per role.

3. Regular Training: Understand GDPR requirements and specific processing instructions.

4. Reporting Mechanisms: Know how to report questionable data processing requests.

Relationship with Other GDPR Provisions

Article 29 interconnects with several other GDPR provisions:

• Article 28 (Processor): Provides the legal framework for the controller-processor relationship that Article 29 builds upon.

• Article 32 (Security): Reinforces that security measures must include ensuring that employees only process data under proper authorization.

• Article 24 (Controller Responsibility): Places ultimate accountability on controllers to ensure all processing follows the rules.

• Articles 33-34 (Breach Notification): Unauthorized processing contrary to Article 29 may constitute a reportable breach.

• Article 83 (Penalties): Violations of Article 29 could lead to significant fines.

• Article 5 (Principles): Supports the principles of purpose limitation and data minimization by restricting processing.

• Articles 12-23 (Data Subject Rights): Unauthorized processing could infringe on individual rights.

Model Compliance Policy: Processing Authority Protocol

COMPANY NAME: [Your Company]

POLICY TITLE: Processing Under Authority Protocol

EFFECTIVE DATE: [Date]

VERSION: 1.0

1. PURPOSE

This policy establishes guidelines to ensure compliance with GDPR Article 29, which requires that all personal data processing occurs only under proper authority and instructions.

2. SCOPE

This policy applies to all employees, contractors, and processors who have access to personal data controlled by [Your Company].

3. AUTHORIZATION FRAMEWORK

3.1 Processing Authority Matrix

• A documented matrix will identify which roles may process which data categories and for what purposes.

• No processing may occur outside this matrix without formal amendment.

3.2 Processor Instructions

• All data processors will receive written instructions detailing:

- Permitted data types for processing

- Approved processing activities

- Prohibited uses

- Security requirements

- Return/deletion procedures

• Instructions will be reviewed annually and updated as needed.

4. IMPLEMENTATION PROCEDURES

4.1 Technical Controls

• Access control systems will restrict data access based on the Authorization Matrix.

• System logging will record all data processing activities.

• Data loss prevention tools will identify unauthorized processing attempts.

4.2 Contractual Safeguards

• All employees: Confidentiality and compliance agreements

• All processors: Article 28-compliant data processing agreements

• All subprocessors: Flow-down of identical restrictions

5. TRAINING REQUIREMENTS

5.1 Initial Training

• All personnel with data access will complete GDPR training before access is granted.

• Training will specifically cover Article 29 restrictions.

5.2 Refresher Training

• Annual recertification required for continued data access.

• Ad-hoc training following any processing incidents.

6. MONITORING AND ENFORCEMENT

6.1 Regular Audits

• Quarterly reviews of processing logs against authorization matrix.

• Annual processor compliance audits.

6.2 Violation Consequences

• Employees: Disciplinary action up to termination.

• Processors: Breach notice, remediation requirement, possible contract termination.

• Reporting to supervisory authorities when legally required.

7. EXCEPTION PROCESS

7.1 Legal Processing Exceptions

• Document any processing required by EU or Member State law.

• Legal department to verify and document such requirements.

7.2 Emergency Processing

• Define a formal exception process for urgent situations.

• Post-processing review required within 24 hours.

8. DOCUMENTATION REQUIREMENTS

8.1 Records of Processing Activities

• Maintain detailed logs of all processing activities.

• Document all processing instructions issued to processors.

8.2 Compliance Evidence

• Regular attestations from processors confirming compliance.

• Training completion records for all personnel.

9. REVIEW SCHEDULE

This policy will be reviewed annually by the Data Protection Officer.

Approved by: _______________________

[Name, Title]

Date: _____________________________

By thoroughly implementing these measures, organizations can effectively comply with Article 29's requirements while strengthening their overall GDPR compliance posture.