GDPR : Article 29 - Processing Under The Authority of The Controller Or Processor

by Avinash V


A key aspect of article 29 in GDPR is the differentiation between data controllers and data processors, as well as the principles and guidelines governing the processing of personal data under the authority of these entities. Explore the nuanced concept of processing personal data under the authority of the controller or processor, exploring its significance, implications, and obligations under GDPR.

GDPR : Article 29 - Processing Under The Authority of The Controller Or Processor

Distinction between Data Controller and Data Processor 

To understand the concept of processing personal data under the authority of the controller or processor, it is essential to first grasp the distinction between these two roles. A data controller is an entity that determines the purposes and means of processing personal data.

In contrast, a data processor is an entity that processes personal data on behalf of the controller, acting solely under the controller's instructions. The GDPR places distinct responsibilities on both controllers and processors, ensuring a coherent and comprehensive approach to data protection.

Processing Under the Authority of the Controller

Processing personal data under the authority of the controller entails a direct relationship between the controller and the data subject. The controller holds the primary responsibility for ensuring that personal data is processed in accordance with GDPR principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

The controller must obtain explicit consent or rely on another legal basis for processing, ensuring that individuals are aware of and agree to the processing of their data.

Additionally, the controller must implement appropriate technical and organizational measures to safeguard the rights and freedoms of data subjects. This may involve encryption, access controls, regular data protection impact assessments, and the appointment of a Data Protection Officer (DPO) in certain cases.

The controller is also responsible for notifying relevant authorities and affected individuals in the event of a data breach, ensuring a swift and effective response to minimize potential harm.

Processing Under the Authority of the Processor

Processing personal data under the authority of the processor requires a distinct set of responsibilities. Processors are bound by a contractual agreement with the controller, outlining the scope, nature, and purpose of processing. This agreement serves to ensure that processors adhere to the controller's instructions and comply with GDPR obligations. Processors are prohibited from processing personal data for any purposes other than those specified by the controller, ensuring a strict limitation on data usage.

Under GDPR, processors must implement appropriate security measures to protect personal data from breaches or unauthorized access. They are also required to assist controllers in meeting their obligations, including conducting data protection impact assessments and facilitating data subject rights, such as access, rectification, and erasure requests.

Processors are further obligated to notify controllers of any breaches promptly, enabling the controller to take necessary actions and report incidents to relevant authorities.

GDPR Implementation Toolkit

Joint Controllership and Shared Responsibilities

In some cases, multiple entities may act as joint controllers, sharing responsibilities for processing personal data. Joint controllers must establish a clear arrangement specifying their respective roles and obligations, particularly concerning data subjects' rights and requests. Transparency and cooperation between joint controllers are crucial to ensure GDPR compliance and effective data protection.

Furthermore, controllers may engage sub-processors to carry out specific processing activities on their behalf. When doing so, controllers must ensure that sub-processors adhere to GDPR requirements and offer sufficient guarantees regarding data protection. Contracts between controllers and sub-processors should outline the latter's obligations and establish a chain of responsibility for processing activities.

Navigating GDPR: Processing Under Controller or Processor Authority

In the dynamic realm of data privacy, GDPR's foundation for processing personal data under controller or processor authority is pivotal. This intricate framework adapts seamlessly to technological shifts, enhancing individual rights in an interconnected world. Upholding data minimization, consent, and accountability principles remains central, guiding organizations through GDPR's nuanced landscape.

By responsibly managing data, entities preserve privacy while harnessing its transformative power. Embracing these roles empowers organizations to navigate GDPR's complexities, fostering trust, innovation, and a secure digital future for both individuals and industries.


The concept of processing personal data under the authority of the controller or processor is a fundamental aspect of GDPR compliance. It embodies the principles of accountability, transparency, and data protection that underpin the regulation. Data controllers and processors play distinct yet interrelated roles in safeguarding individuals' personal data rights.

GDPR Implementation Toolkit