Data Processor
What does Data Processor mean?
A data processor is an organization or individual that handles personal data on behalf of a data controller. The processor carries out tasks such as storing, transmitting, analyzing, or managing personal information according to the controller’s documented instructions. Examples of data processors include cloud hosting services, analytics vendors, email delivery platforms, and outsourced customer support providers.
How does a Data Processor work?
A data processor only handles personal data under the direction of the data controller. The controller decides what data is collected, why it is collected, and how it should be used. The processor provides the technical or operational support needed to carry out these instructions. Many privacy laws, including GDPR, require a written contract outlining what the processor may and may not do with the data. This contract also obligates the processor to follow security requirements, assist with user rights requests, and notify the controller of potential breaches.
FAQs about data processors
No. A data processor cannot determine the purpose or essential means of processing. Those decisions belong to the data controller. The processor follows the controller’s written instructions and is not permitted to repurpose or use the data for independent objectives.
Yes. Many organizations act as a controller for some activities and a processor for others. The role depends on the specific processing activity. For example, a marketing platform may be a processor when sending emails for clients, but a controller for managing its own employee data.
Yes. Laws such as GDPR require a “data processing agreement” that defines the scope of processing, security measures, subcontracting rules, responsibilities, and requirements for assisting with user rights and incident notifications. Without this agreement, both parties risk non-compliance and liability.
Processors may engage other processors—often called subprocessors—but only with the controller’s authorization. The processor must ensure subprocessors follow equivalent data protection obligations, and must remain accountable for their actions.
Processors must implement appropriate security measures, assist controllers in responding to access or deletion requests, maintain processing records when required, support audits, and notify controllers of data breaches without undue delay. They are responsible for ensuring staff confidentiality and for managing subprocessors properly.