How to Demonstrate Compliance With GDPR Article 29

What is GDPR Article 29 and Why Does it Matter?

GDPR Article 29 requires organisations to only process data on instruction, unless required to do otherwise by a legal authority.

GDPR Article 29 Legal Text

EU GDPR Version

Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

UK GDPR Version

Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so under domestic law.

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo

ISO 27701 Clause 8.2.2 (Organization’s Purposes) and EU GDPR Article 29

From the outset, PII should only ever be processed in accordance with the customer’s instructions.

Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.

Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR Article	ISO 27701 Clause	ISO 27701 Supporting Clauses
EU GDPR Article 29	ISO 27701 8.2.2	None

How ISMS.online Helps

Our pre-built environment allows you to describe and demonstrate how you protect European and UK customer data that seamlessly integrates into your management system.

A breach of GDPR can result in significant fines, making it one of the world’s toughest privacy and security regulations. As a result, it implies that organisations must protect personal data to a ‘reasonable’ extent.

But here’s the good news.

In a secure, always-on location, ISMS.online makes it easy for you to jump right into GDPR compliance and demonstrate a level of protection that extends beyond ‘reasonable’.

Find out more by booking a short 30 minute demo.

David Holloway

Chief Marketing Officer

David Holloway is the Chief Marketing Officer at ISMS.online, with over four years of experience in compliance and information security. As part of the leadership team, David focuses on empowering organisations to navigate complex regulatory landscapes with confidence, driving strategies that align business goals with impactful solutions. He is also the co-host of the Phishing For Trouble podcast, where he delves into high-profile cybersecurity incidents and shares valuable lessons to help businesses strengthen their security and compliance practices.

GDPR Articles

GDPR In Depth

We’re a Leader in our Field