General Data Protection Regulation

Article 29

Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Holdings

C-741/2111 Apr 2024

GP v juris GmbH

A controller is not exempt from liability under paragraph 3 of Article 82 of Regulation 2016/679 merely by claiming that the damage was caused by a failure by a person acting under the controller's authority within the meaning of Article 29 of that regulation.