Looking for an external Data Protection Officer?DATUREX GmbH Dresden

GDPR — Table of Contents

AI-generated summary

This provision requires that any person acting under the authority of the controller or processor who has access to personal data must process those data only on instructions from the controller. The only exception is where Union or Member State law requires otherwise, ensuring a clear chain of command and preventing unauthorised processing by subordinates.

Art. 29 GDPR

Processing under the authority of the controller or processor

(1)The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Source:: EUR-Lex CELEX 02016R0679-20160504
Citation:: OJ L 119, 04.05.2016, p. 1; corrected by OJ L 127, 23.05.2018, p. 2
As of:: 2016-05-04
Retrieved:: 2026-02-25