Data Processor
An entity that processes personal data on behalf of and under the instructions of a data controller.
A data processor is an organization or individual that processes personal data on behalf of a data controller, following the controller’s instructions rather than making independent decisions about the data. Common examples include cloud hosting providers, email marketing platforms, analytics services, and payment processors. Under the GDPR, the relationship between controller and processor must be governed by a formal Data Processing Agreement (DPA) that specifies the scope, nature, and purpose of the processing.
Data processors have their own compliance obligations under the GDPR, including implementing appropriate security measures, not engaging sub-processors without the controller’s authorization, assisting the controller with data subject requests and breach notifications, maintaining records of processing activities, and deleting or returning data at the end of the service relationship. A processor that acts outside the controller’s instructions — for example, using the data for its own purposes — may be reclassified as a controller and assume full controller obligations and liability.