A processor may process personal data only on what type of instructions?

The requirement for a processor to handle personal data strictly according to documented instructions from the controller is rooted in the principles of data protection, particularly under the General Data Protection Regulation (GDPR). This principle ensures accountability and clarity in the handling of personal data.

Documented instructions provide a clear framework for the processor’s actions, minimizing risks of non-compliance and ensuring that personal data is processed in accordance with the controller's expectations and legal obligations. By relying on written instructions, both parties can maintain a clear understanding of their responsibilities, the purpose of data processing, and the scope of what can be done with the data. This practice also supports transparency and facilitates audits or assessments of compliance.

Oral instructions and verbal agreements do not offer the same level of clarity and accountability as documented instructions. In legal contexts, especially concerning data protection, having written records is crucial for demonstrating compliance and protecting the interests of data subjects. Implied consent lacks the explicit confirmation and documentation necessary to ensure that processing adheres to regulatory requirements, which underscores why only documented instructions are sufficient for a processor to act lawfully.