
Article 29 GDPR
Processing authorised by the controller or processor
The controller and any person acting under the authority of the controller or controller and having access to personal data shall only process it at the controller's request, unless required by Union or Member State law.

