The classic trap
Article 29 looks harmless, but it targets a very concrete risk: unauthorised initiative. An employee, a system administrator or a processor who consults or uses personal data outside documented instructions creates unlawful processing attributable to the controller. The CNPD and the CNIL regularly sanction unauthorised access to HR files, consultations of customer records out of curiosity, or processors who reuse data for their own purposes. The core issue: the absence of a traceable instruction chain between the controller and every person who touches the data.
The test the CNPD applies during an audit
Faced with a disputed access, the authority does not just ask for your policies: it verifies that each person with access holds a documented instruction and that their actual actions match it. The points that decide a case:
- Existence of a service note or contractual clause defining the exact scope of authorised processing for each role.
- Confidentiality undertaking signed by every person with access (directly linked to Article 28(3)(b) for processors).
- Access logs proving that consultations correspond to a legitimate and instructed purpose.
- Absence of residual access after a job change or a departure (orphan accounts, unrevoked rights).
- Traceability of reuse: a processor exceeding instructions becomes an autonomous controller and engages its own liability.
The operational trap: organisations document instructions at the global contract level but cannot prove that each individual operated within their scope.
How Luxgap automates this risk
Our Luxgap Instruction Boundary Monitor makes access outside instructions impossible by confronting real access in real time with the authorised scopes you have declared. The tool connects to your Active Directory, Microsoft Defender, Azure Sentinel, Odoo and M365 shares to map who touches which data, and instantly detects any gap between effective access and documented instruction, without asking anyone to fill in a form.
- Continuously detects (5-minute cron) each access to personal data via Active Directory, Defender and Sentinel logs, and confronts it with the person's authorised role.
- Instantly alerts on Teams or Slack as soon as a consultation falls outside the instructed scope (HR access by a salesperson, customer export by an intern, reuse by a processor).
- Generates and electronically signs the Article 29 and 28(3)(b) confidentiality undertakings, with automatic reminders for each newcomer detected in your directory.
- Scans orphan accounts and residual rights after a departure or a job change, and proposes one-click revocation.
- Produces a timestamped PDF report enforceable before the CNPD, demonstrating that each access matched a documented instruction and an authorised scope.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real directory, with a free blind audit within 48h to measure your out-of-instruction access before any commitment.