The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
References
- GDPR references
- Fines
- Recitals
- Directive 95/46/EC
- SA
- Case-law
No GDPR article references available for this article.
Infringements regarding the obligations of the controller and the processor pursuant to this article shall, in accordance with Article 83(2), be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
No GDPR recitals available for this article.
Article 16 Confidentiality of processing
| Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law. |