Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Basics to Know About Article 29 of the GDPR

Get Free GDPR Assessment
Published January 1, 2024
Author

Anas Baig

Product Marketing Manager at Securiti

Listen to the content

In 2021, WhatsApp was slapped with a £225 million fine imposed by Ireland’s Data Protection Commission. The reason? WhatsApp had failed to appropriately inform and gain their users’ consent before sharing their data with their parent company, Facebook.

The Commission specifically accused WhatsApp of violating Article 29 by failing to obtain their users’ consent. Furthermore, the body found WhatsApp’s consent mechanism to be both unclear and vague, with users not being presented with a discernable choice related to whether they consent to having their data shared with Facebook.

The incident serves as a critical reminder for businesses and other organizations about how important it is to comply with Article 29. An organization's own data processing activities may be in order, but a failure to ensure relevant measures to monitor their third parties’ ability to do the same can have harsh consequences, as was the case with WhatsApp.

For organizations aiming to comply with Article 29 of the General Data Protection Regulation (GDPR), here's what you need to know:

What is Article 29 of the GDPR

Article 29 of GDPR is a relatively straightforward provision of the GDPR that mandates all data processors engaged in data processing activities on behalf of a data controller to proceed only with the processing activities as instructed by the controller.

The only exception to this strict requirement is unless proceeding with the processing activities as instructed by the controller would contradict a Union or Member State law.

Why is Article 29 Important

Since coming into effect in 2018, the GDPR has garnered a reputation for being extraordinarily thorough in ensuring data subject’s rights and freedoms related to their data are appropriately protected.

Article 29 demonstrates this perfectly by ensuring that even when third parties are processing their personal data, it is protected appropriately.

If a data controller delegates processing activities to a data processor, the data processor can only carry out the processing activities by strictly following the instructions provided by the data controller.

Additionally, the data controller remains responsible for ensuring that all processing activities conducted under their name are done in a GDPR-compliant manner.

In other words, when an organization decides to outsource some of its data collection and processing activities to other organizations, Article 29 ensures that the users' data is appropriately protected via GDPR-compliant measures. Such measures drastically reduce the chances of potential data breaches or other privacy incidents as data controllers retain real-time insights into the processing activities of the processor on their behalf.

How to Ensure Compliance With Article 29

Some measures data controllers and processors can undertake to ensure compliance with Article 29 of the GDPR include the following:

  • When delegating processing tasks to a processor, the controller must select processors that offer adequate guarantees, especially in terms of expertise, reliability, and resources. These processors should be capable of implementing the necessary technical and organizational measures to fulfill the stipulations of GDPR, including those related to processing security;
  • The processing activities by a processor must adhere to a contractual arrangement or another legally binding instrument established by Union or Member State law, which obligates the processor to the controller. This agreement should outline the scope and timeframe of the processing, the characteristics and objectives of the processing, the personal data types, and the categories of data subjects. It should also consider the specific duties and responsibilities of the processor within the processing context, as well as the potential risks to the rights and freedoms of the data subject;
  • The processor's compliance with an approved code of conduct or an approved certification mechanism can serve as a means to showcase adherence to the controller's obligations;
  • Upon concluding the processing on behalf of the controller, the processor is required, at the controller's discretion, to either return or erase the personal data unless there exists an obligation to retain such data according to the laws of the Union or the Member State governing the processor;
  • Schedule regular audits of the data processor's processing activities to ensure their consistent compliance with the aforementioned data processing agreement.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

You can access numerous critical modules and products with the Data Command Center. Vendor Risk Assessment is one such product that enables a single repository for all an organization's third-party assessments, providing a single view for all ongoing assessments.

As a result, collaboration with internal and external stakeholders can be streamlined via a safe and secure dashboard.

Similarly, the Data Access Governance module can be leveraged to gain specific insights into which personnel and applications have access to what sensitive data, as well as the geographic region, specific system, or regulations tied to that data. Consequently, policies can be set up to control access to data based on the type, sensitivity, system, location, or regulatory requirements.

Request a demo and learn more about how Securiti can help your organization comply with your responsibilities under Article 29 of the GDPR.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

AI System Observability: Go Beyond Model Governance View More

AI System Observability: Go Beyond Model Governance

Across industries, AI systems are no longer just tools acting on human prompts. The AI landscape is evolving rapidly, and AI systems are gaining...

View More

Securiti Accelerates Secure Agentic AI Deployments with NVIDIA Enterprise AI Factory

Still adapting to  the initial Gen AI boom, the IT industry is now undergoing another profound evolution- the rise of Agentic AI. AI has...

Enterprise Data Security View More

What is Enterprise Data Security?

Get comprehensive insights into enterprise data security, what it is, its importance, key components, and how Securiti helps ensure the utmost enterprise data security.

Cloud Security Posture Management View More

What is Cloud Security Posture Management (CSPM)?

Learn the importance of CSPM for modern enterprises, the core capabilities to consider, and clears several misconceptions related to it.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

Why Data Access Is Your Weakest Link—And How DSPM Fixes It View More

Why Data Access Is Your Weakest Link—And How DSPM Fixes It

Learn how DSPM provides unified Data+AI Access governance, offering contextual data intelligence, automated controls, safe AI+data access, and consistent least-privilege enforcement.

The European Health Data Space Regulation View More

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Comparison of RoPA Field Requirements Across Jurisdictions View More

Comparison of RoPA Field Requirements Across Jurisdictions

Download the infographic to compare Records of Processing Activities (RoPA) field requirements across jurisdictions. Learn its importance, penalties, and how to navigate RoPA.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New