Processing Under Controller Authority

GDPR Article 29 mandates that processing under the authority of the controller or processor must only occur on documented controller instructions. It applies to processors, sub-processors, and any internal staff, such as employees or contractors, who have access to personal data.

In practice, what is GDPR Article 29 processing under authority means that anyone given access to personal data must strictly follow the defined boundaries set by the controller. They cannot use the data for their own purposes, run unapproved analytics, or share it without explicit authorization.

Employees do not count as data processors; rather, they are individuals acting under the direct authority of the controller or processor. Therefore, GDPR Article 29 compliance requirements for employees dictate that they process data exclusively as directed by their employer.

Organizations should maintain strong technical and organisational measures for processing on instructions, such as system access logs, role-based access control configurations, signed employee confidentiality agreements, and documented data processing agreements. Tools like WatchDog Security's Compliance Center can help teams track these evidence items, assign owners, and monitor collection status to support audits.

A controller instructions template for data processing GDPR compliance should detail the specific scope, purpose, duration, and types of personal data being processed. It must also outline authorized actions and explicitly forbid any secondary use of the data.

No, a processor cannot decide the purpose or means. If a GDPR processor acting without instructions becomes controller, they are considered an independent controller for that activity and assume full legal liability and penalties under the regulation.

If you wonder what to do if processing is required by Union or Member State law Article 29 provides an explicit exception. The processor must inform the controller of this legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

Implementing a robust GDPR Article 29 policy for employee access to personal data alongside strict Role-Based Access Control ensures staff only access data required for their roles. Regular access reviews and system access logs further prevent unauthorized use.

Article 29 reinforces the contractual obligations set out in Article 28 by strictly binding the processor and its staff to the controller's instructions. A signed Data Processing Agreement acts as the primary vehicle for delivering and documenting these processor instructions GDPR. Tools like WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, track DPA status, and record processor instruction artifacts alongside assessments.

Auditors often look to auditing and logging to evidence controller instructions GDPR compliance, frequently citing missing system access logs, overly permissive user access rights, and a lack of clear processor staff training requirements under GDPR Article 29.

Article 29 is easiest to defend when instructions and evidence are centralized and consistently reviewed. Tools like WatchDog Security's Compliance Center can map this control to required evidence (e.g., access reviews, DPA coverage, logging) and help track gaps and ownership so teams can demonstrate that processing occurs only on documented controller instructions.

Unauthorized processing often happens when expectations are unclear or not acknowledged by the workforce. Tools like WatchDog Security's Policy Management can help distribute data handling policies, track attestation/acceptance, and maintain version history so organizations can show that personnel were informed of and accepted rules requiring processing only on controller instructions.