Data Processor
A natural or legal person or entity that processes personal data on behalf of and according to the instructions of a data controller, generally without independent purpose-setting authority.
What Is a Data Processor?
A data processor is any party that processes personal data on behalf of a controller, acting only on the controller's documented instructions. Cloud hosting providers, payroll vendors, email marketing platforms, SaaS applications, and similar service providers typically operate as processors when handling personal data of their customers' end users. The processor does not decide why the data is processed — that authority belongs to the controller.
GDPR Article 28 Requirements
Controllers must engage processors through a written contract or other binding legal act that includes:
- The subject matter, duration, nature, and purpose of processing - The types of personal data and categories of data subjects - Obligations and rights of the controller - Processing only on documented instructions of the controller - Confidentiality obligations on personnel - Security measures meeting Article 32 - Use of sub-processors only with prior authorization - Assistance with data subject rights requests - Assistance with security and breach notification obligations - Deletion or return of data at the end of the engagement - Audit rights for the controller
Processor Liability
Processors are directly liable under the GDPR for non-compliance with processor-specific obligations and can be fined by supervisory authorities and sued by data subjects. Processors that determine processing purposes or means become controllers for that processing and assume controller responsibilities. Most professional Data Processing Agreements (DPAs) supplement the underlying service agreement and incorporate Standard Contractual Clauses for any international transfers.