Processing under the authority of the controller or processor

General Data Protection Regulation · UE 2016/679

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 29 is the most frequent blind spot in CNPD inspections: the DPA is signed with the processor, but no written record proves that individual staff members (employees, contractors, freelancers, interns, on-site consultants) received and accepted written instructions. When an incident occurs, the authority asks for the evidence that Jean-Marc from L2 support knew he could not export a client CSV to 'test' his new Power BI. Without that trace, CNPD and CNIL reclassify the unauthorised access as an Article 32 breach, and the employer loses any defence based on individual fault.

Practical pitfalls

IT charter signed at onboarding in 2018, never updated since the arrival of M365 Copilot, ChatGPT Enterprise or Make/Zapier connectors.
On-site contractors (consultancies, Malt freelancers, Adecco temps) accessing the IS without a confidentiality undertaking distinct from the vendor commercial contract.
IT admins and DBAs with root access to client databases, with no documented instruction matrix on what they may or may not read in clear text.
Sub-processors in cascade (the developer of your integrator's subcontractor) never informed of the purposes and limits of processing.
No traceability: no log can prove who read what, when, and under which instruction.

How Luxgap automates this risk

Our Luxgap Instruction Chain Enforcer makes access to personal data impossible without a trace of accepted instruction, turning the declarative obligation of Article 29 into an automated technical barrier. The tool connects to your Active Directory, Azure AD, Okta, M365, Salesforce and Odoo, intercepts every new rights assignment and triggers a contextual instruction workflow based on the data scope the user is about to access.

Detects every new access to personal data via Microsoft Graph, Salesforce Event Monitoring and Odoo logs, and blocks session opening until the matching instruction is electronically signed.
Generates differentiated written instructions by profile (HR, support, devOps, marketing, external contractor) referencing the Article 30 register purposes and specific prohibitions (export, third-party generative AI, transfer outside the EU).
Automatically reassesses instructions every 12 months or as soon as a processing activity evolves in the register, and reissues timestamped electronic signature via DocuSign, Yousign or LuxTrust.
Distinguishes internal staff, temps and on-site contractors to apply reinforced confidentiality undertakings to external populations.
Produces a cryptographically sealed PDF report, admissible before the CNPD, demonstrating for each access: who, when, under which signed instruction, with which authorisation level.
Alerts in real time on Teams or Slack when a user attempts an out-of-instruction action (mass export, login from high-risk country, abnormal SQL query).

Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real directories, with a free 48-hour assessment to map the accesses not covered by a written instruction before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Processing under the authority of the controller or processor

They trust us

Before we chat