Overview
This article ensures that processors and authorized personnel act only under the instructions of the controller when processing personal data. Personal data must not be processed for independent purposes unless required by EU or Member State law.
Key Principles
Controller Instructions: Processors must follow documented instructions from the controller.
Limited Purpose: Data must only be processed for the purposes defined by the controller.
Legal Exceptions: Processing outside instructions is allowed only if mandated by Union or Member State law.
Accountability: Controllers remain responsible for ensuring processors comply with instructions.
Organizational Applicability
This article applies to all organizations processing personal data within the EU:
Controllers delegating processing activities to processors.
Processors and personnel authorized to process data on behalf of controllers.
Public and private sector entities managing outsourced or internal processing operations.
Implementation Requirements
Establish and communicate documented instructions to all processors and authorized personnel.
Ensure processors and staff process personal data only according to these instructions.
Maintain records of instructions and any processing conducted under legal exceptions.
Implement oversight to verify compliance with instructions.
Implementation Guidance
Include processing instructions in contracts and internal policies.
Monitor processors and staff to ensure compliance with the defined scope of processing.
Train personnel to understand and follow controller instructions.
Review and update instructions periodically to reflect processing changes or legal updates.
Periodic Review
Frequency: Annually or whenever processing activities or instructions change.
Responsible Role: Data Protection Officer (DPO), Compliance Team, or Legal.
Outcome: Ensure all processing under the authority of the controller or processor is compliant and properly documented.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Liability for unauthorized processing or deviation from instructions.
Reputational Damage: Loss of trust from data subjects, partners, and regulators.
Operational Risk: Misuse of data due to failure to adhere to controller instructions.