Basics to Know About Article 29 of the GDPR

In 2021, WhatsApp was slapped with a £225 million fine imposed by Ireland’s Data Protection Commission. The reason? WhatsApp had failed to appropriately inform and gain their users’ consent before sharing their data with their parent company, Facebook.

The Commission specifically accused WhatsApp of violating Article 29 by failing to obtain their users’ consent. Furthermore, the body found WhatsApp’s consent mechanism to be both unclear and vague, with users not being presented with a discernable choice related to whether they consent to having their data shared with Facebook.

The incident serves as a critical reminder for businesses and other organizations about how important it is to comply with Article 29. An organization's own data processing activities may be in order, but a failure to ensure relevant measures to monitor their third parties’ ability to do the same can have harsh consequences, as was the case with WhatsApp.

For organizations aiming to comply with Article 29 of the General Data Protection Regulation (GDPR), here's what you need to know:

What is Article 29 of the GDPR

Article 29 of GDPR is a relatively straightforward provision of the GDPR that mandates all data processors engaged in data processing activities on behalf of a data controller to proceed only with the processing activities as instructed by the controller.

The only exception to this strict requirement is unless proceeding with the processing activities as instructed by the controller would contradict a Union or Member State law.

Why is Article 29 Important

Since coming into effect in 2018, the GDPR has garnered a reputation for being extraordinarily thorough in ensuring data subject’s rights and freedoms related to their data are appropriately protected.

Article 29 demonstrates this perfectly by ensuring that even when third parties are processing their personal data, it is protected appropriately.

If a data controller delegates processing activities to a data processor, the data processor can only carry out the processing activities by strictly following the instructions provided by the data controller.

Additionally, the data controller remains responsible for ensuring that all processing activities conducted under their name are done in a GDPR-compliant manner.

In other words, when an organization decides to outsource some of its data collection and processing activities to other organizations, Article 29 ensures that the users' data is appropriately protected via GDPR-compliant measures. Such measures drastically reduce the chances of potential data breaches or other privacy incidents as data controllers retain real-time insights into the processing activities of the processor on their behalf.

How to Ensure Compliance With Article 29

Some measures data controllers and processors can undertake to ensure compliance with Article 29 of the GDPR include the following:

• When delegating processing tasks to a processor, the controller must select processors that offer adequate guarantees, especially in terms of expertise, reliability, and resources. These processors should be capable of implementing the necessary technical and organizational measures to fulfill the stipulations of GDPR, including those related to processing security;
• The processing activities by a processor must adhere to a contractual arrangement or another legally binding instrument established by Union or Member State law, which obligates the processor to the controller. This agreement should outline the scope and timeframe of the processing, the characteristics and objectives of the processing, the personal data types, and the categories of data subjects. It should also consider the specific duties and responsibilities of the processor within the processing context, as well as the potential risks to the rights and freedoms of the data subject;
• The processor's compliance with an approved code of conduct or an approved certification mechanism can serve as a means to showcase adherence to the controller's obligations;
• Upon concluding the processing on behalf of the controller, the processor is required, at the controller's discretion, to either return or erase the personal data unless there exists an obligation to retain such data according to the laws of the Union or the Member State governing the processor;
• Schedule regular audits of the data processor's processing activities to ensure their consistent compliance with the aforementioned data processing agreement.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

You can access numerous critical modules and products with the Data Command Center. Vendor Risk Assessment is one such product that enables a single repository for all an organization's third-party assessments, providing a single view for all ongoing assessments.

As a result, collaboration with internal and external stakeholders can be streamlined via a safe and secure dashboard.

Similarly, the Data Access Governance module can be leveraged to gain specific insights into which personnel and applications have access to what sensitive data, as well as the geographic region, specific system, or regulations tied to that data. Consequently, policies can be set up to control access to data based on the type, sensitivity, system, location, or regulatory requirements.

Request a demo and learn more about how Securiti can help your organization comply with your responsibilities under Article 29 of the GDPR.