GRCWatch
Sign inStart free trial

GDPR A.29-01: Processing Under Authority of Controller or Processor

Under GDPR Article 29, anyone with access to personal data—whether a processor or controller staff—must follow strict instruction protocols. Unauthorized processing, even by authorized personnel, creates serious compliance gaps. This control ensures your organization maintains documented data handling authority and prevents rogue processing.

What this means

This control requires that processors and any individual acting under a controller's authority can only process personal data when explicitly instructed to do so by the controller. No processor or staff member may independently decide to process, share, or use personal data beyond their documented authorization. The only exception is when Union or Member State law mandates processing. This establishes a clear chain of custody and accountability for every data handling action.

How to comply

  1. 1.Document all processor relationships with Data Processing Agreements (DPAs) that specify permitted processing activities and scope
  2. 2.Create written data handling instructions for every processor role and controller staff member with data access
  3. 3.Implement role-based access controls limiting each person to only authorized processing purposes
  4. 4.Establish approval workflows requiring controller authorization before any new processing activity begins
  5. 5.Audit processor activities regularly to confirm processing stays within instructed scope
  6. 6.Maintain records of all instructions issued and processor compliance with those instructions
  7. 7.Train all data handlers on instruction requirements and consequences of unauthorized processing

Evidence auditors look for

  • Signed Data Processing Agreements with explicit permitted processing descriptions
  • Written processing instructions documented per processor or role
  • Access control logs showing role-based data access limitations
  • Processor authorization forms with controller signatures and dates
  • Audit trails of processing activities with corresponding documented instructions
  • Training records confirming data handler instruction compliance
  • Incident logs documenting investigation of unauthorized processing attempts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates processor instruction workflows and access control tracking, generating audit-ready evidence that every data handler processed only as instructed.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR Article 28 - Processor RequirementsGDPR Article 32 - Security of ProcessingGDPR Article 5 - Principles of Data Processing