GDPR A.29-01: Processing Under Authority of Controller or Processor
Under GDPR Article 29, anyone with access to personal data—whether a processor or controller staff—must follow strict instruction protocols. Unauthorized processing, even by authorized personnel, creates serious compliance gaps. This control ensures your organization maintains documented data handling authority and prevents rogue processing.
What this means
This control requires that processors and any individual acting under a controller's authority can only process personal data when explicitly instructed to do so by the controller. No processor or staff member may independently decide to process, share, or use personal data beyond their documented authorization. The only exception is when Union or Member State law mandates processing. This establishes a clear chain of custody and accountability for every data handling action.
How to comply
- 1.Document all processor relationships with Data Processing Agreements (DPAs) that specify permitted processing activities and scope
- 2.Create written data handling instructions for every processor role and controller staff member with data access
- 3.Implement role-based access controls limiting each person to only authorized processing purposes
- 4.Establish approval workflows requiring controller authorization before any new processing activity begins
- 5.Audit processor activities regularly to confirm processing stays within instructed scope
- 6.Maintain records of all instructions issued and processor compliance with those instructions
- 7.Train all data handlers on instruction requirements and consequences of unauthorized processing
Evidence auditors look for
- Signed Data Processing Agreements with explicit permitted processing descriptions
- Written processing instructions documented per processor or role
- Access control logs showing role-based data access limitations
- Processor authorization forms with controller signatures and dates
- Audit trails of processing activities with corresponding documented instructions
- Training records confirming data handler instruction compliance
- Incident logs documenting investigation of unauthorized processing attempts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates processor instruction workflows and access control tracking, generating audit-ready evidence that every data handler processed only as instructed.
See how GRCWatch handles this control automatically
Start free trial