Processing under the authority of the controller or processor
There is no recital in the Regulation related to article 29.
There is no recital in the Directive related to article 29.
Article 29 of the new Regulation now states that any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Article 16 of the Directive established the fundamental principle of confidentiality with respect to the personal data protection: any activity dealing with personal data processing can be performed only on the instruction of the controller.
This requirement also applies to any person who has access to the personal data, whether this access is made by a person acting under the authority of the controller or the processor as well as to the processor him/herself.
This provision poses difficulty if no direct link exists between the data subject and the controller - the latter not being organized contractually or otherwise - if the data subject concerned - such as an employee – works under the authority of a processor or a secondary processor. Doubtless, there will be a need to interpret it in this sense that it comes to the instructions received from the processor himself that he or she must transfer to his or her secondary processor. Let’s recall that the latter is responsible for the actions of its indirect processors and that logically, each of them is responsible for the people working under his or her authority.
This provision also seems to largely duplicate Article 32 (4) of the Regulation which reiterates its contents as a variation of the security obligation.Austria
Concerning § 6 DSG:
Para (2) uses the term 'transmit' instead of 'process' as in Article 29 GDPR. It might be reasonably assumed that the term 'transmit' in para (2) should therefore be "read as" 'process' and para (2) should apply to all different kinds of data processing activites, not only to the transmission of data to third parties.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
1st proposal close
1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:
(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
(c) take all required measures pursuant to Article 30;
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
2nd proposal close
1. (...). The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (...) in such a way that the processing will meet the requirements of th is Regulation (...).
1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.
2. The carrying out of processing by a processor shall be governed by a contract or a legal act under Union or Member State law binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the rights of the controller (...) and stipulating, in particular that the processor shall:
(a) process the personal data only on instructions from the controller (...), unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing the data, unless that law prohibits such information on important grounds of public interest;
(c) take all (...) measures required pursuant to Article 30;
(d) respect the conditions for enlisting another processor (...), such as a requirement of specific prior permission of the controller;
(e) (...) taking into account the nature of the processing, assist the controller in responding to requests for exercising the data subject’s rights laid down in Chapter III;
(f) (...) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) return or delete, at the choice of the controller, the personal data upon the termination of the provision of data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject;
(h) make available to the controller (...) all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits conducted by the controller. The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.
2a. Where a processor enlists (...) another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the cont roller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and or ganisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.
2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a.
2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2).
2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.
3. The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
Confidentiality of data
§ 6 DSG
(1) The controller, the processor and their employees, i.e. employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data).
(2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor.
(3) The controller and the processor shall inform the employees affected by these orders about the transmission orders applicable to them and about the consequences of a violation of data confidentiality.
Old law close
In force until May 25, 2018:
Obligations of the Processor
§ 11 DSG 2000
(1) Irrespective of contractual obligations, all processors have the following obligations when using data for a controller:
1. to use data only according to the instructions of the controller; in particular, the transmission of the data used is prohibited unless so instructed by the controller;
§3. Toute personne agissant sous l'autorité du responsable du traitement ou celle du sous-traitant, ainsi que le sous-traitant lui-même, qui accède à des données à caractère personnel, ne peut les traiter que sur instruction du responsable du traitement, sauf en cas d'une obligation imposée par ou en vertu d'une loi, d'un décret ou d'une ordonnance.