Privacy

Data Processor

An entity that processes personal data on behalf of a data controller.

A data processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

What Makes You a Processor?

You are a processor when you handle personal data under instructions from another entity, rather than deciding yourself why and how the data should be processed.

Obligations

  • Process data only on documented instructions from the controller
  • Ensure staff are bound by confidentiality
  • Implement appropriate security measures
  • Assist the controller with data subject rights requests
  • Delete or return data after the service contract ends
  • Only engage sub-processors with prior authorization from the controller
  • Sign a Data Processing Agreement

Examples

  • A cloud hosting provider storing customer databases
  • A payroll service processing employee salaries
  • An email service provider sending marketing emails

Defined in GDPR Article 4(8). Obligations detailed in Article 28.

Related Terms

Personal DataPrivacy

Any information that can identify a living individual, directly or indirectly.

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

Data Processing AgreementCompliance

A legally binding contract between a data controller and a data processor that governs how personal data is handled.

Sub-ProcessorCompliance

A third party engaged by a data processor to process personal data on behalf of the data controller.

Data Processing AgreementData Retention