What Is a Data Processor?

Understanding what it means to be a data processor is essential for anyone handling personal information under the GDPR. Whether you’re providing IT services, managing payroll, or storing customer data for another organization, being a data processor comes with distinct responsibilities. If you process data on behalf of another party, you need to know exactly where your duties start and end.

At the heart of these responsibilities is compliance with strict legal requirements, including acting only on the documented instructions of the data controller and implementing robust security measures. With the growing reliance on sub-processors and international data transfers, it’s never been more important to understand your obligations.

From negotiating Data Processing Agreements (DPAs) to maintaining records of processing and respecting audit rights, data processors play a pivotal role in building trust and ensuring data protection in today’s digital landscape. In this guide, we'll break down everything you need to know about being a data processor, so you can stay compliant, confident, and in control.

Definition and scope

Under the GDPR, a data processor is any entity that processes personal data on behalf of a data controller, strictly following the controller’s instructions. This means you’re not deciding why or how personal data is used—you’re simply carrying out tasks as directed, such as storing, organizing, or transmitting data. The scope of a data processor’s activities is tightly defined and must always align with the explicit instructions from the data controller or as required by law, such as the Data Protection Act (DPA).

The GDPR makes it clear that data processors must not use personal data for their own purposes or outside the agreed scope. If a processor goes beyond the controller’s instructions, they risk assuming the role—and liabilities—of a data controller themselves. This clear boundary is vital for compliance and for building trust in business relationships involving sensitive information.

Key elements that define the scope of a data processor’s responsibilities include:

• Adhering strictly to the data controller’s instructions—never improvising or repurposing data.
• Applying appropriate security measures to protect personal data, as required by Article 32 of the GDPR. This includes technical and organizational safeguards to prevent unauthorized access, loss, or breaches.
• Maintaining up-to-date records of processing activities (sometimes called a ROPA), which show exactly what data is being processed, for whom, and for what purpose. This is essential for demonstrating compliance and transparency.
• Engaging sub-processors only with the data controller’s prior written authorization, and ensuring sub-processors comply with the same data protection obligations. The use of Standard Contractual Clauses (SCCs) is often required when sub-processors are located outside the EEA.
• Facilitating audit rights by granting the data controller or regulators access to verify compliance with the GDPR and contractual obligations.

It’s important to note that these obligations apply regardless of the size of your business or the volume of data processed. As a data processor, your role is always secondary to the data controller’s decisions, but your legal responsibilities are significant. Failing to respect the defined scope, mishandling data, or delegating tasks to unauthorized sub-processors can result in severe legal and financial consequences.

By understanding and respecting the boundaries of the data processor role, you not only meet regulatory requirements but also build a foundation of trust and professionalism with your clients and partners.

Acting on documented instructions

Acting on documented instructions is a core principle for any data processor under the GDPR. The law is clear: a data processor must only process personal data in accordance with the written, documented instructions provided by the data controller or as required by the Data Protection Act (DPA) or other applicable laws.

These instructions are not just a formality—they define the boundaries and purpose of any data handling. As processors, we are not permitted to use or disclose data for any reason outside of what is specified in the agreement with the controller. If a request ever falls outside these instructions, it’s crucial to seek clarification, or even refuse, unless legal obligations require otherwise. This strict adherence helps ensure that everyone’s roles are respected and that the processing remains lawful and compliant.

Documented instructions may cover aspects such as:

• The nature and duration of the processing
• The categories of data and data subjects involved
• Permitted types of processing activities
• Requirements for maintaining records of processing
• Obligations around data transfers, including the use of SCCs (Standard Contractual Clauses) when data leaves the EEA
• Procedures for appointing and managing any sub-processor
• Implementation of appropriate security measures to protect personal data
• Protocols for responding to the controller’s audit rights

The importance of clarity can’t be overstated. If instructions are vague or incomplete, we must proactively engage the controller for further details. This protects both parties and ensures we remain within the bounds of the GDPR. Ignoring this obligation could result not just in regulatory penalties, but also a breakdown of trust with the controller.

In practice, these documented instructions are often set out in the main service contracts or data processing agreements (DPAs). They serve as a living reference point for day-to-day operations and for troubleshooting any questions that arise during data processing. By following them precisely, we demonstrate accountability and help foster a culture of transparency and compliance throughout the data lifecycle.

Security obligations and sub-processors

Security obligations are at the core of a data processor’s responsibilities under the GDPR and the DPA. When we act as a data processor, we’re required to implement appropriate technical and organizational security measures to safeguard personal data. These measures must ensure a level of security that matches the risks presented by the processing activities, the nature of the data, and evolving threats. It’s not just about ticking boxes—real vigilance is key.

We must follow the exact instructions given by the data controller. This means only processing data as directed, never for our own purposes. But security isn’t static; we should regularly review and update our security practices, including:

• Encryption of data at rest and in transit to limit unauthorized access.
• Pseudonymization to reduce the risk of data being linked to specific individuals.
• Access controls to ensure only trained, authorized staff can handle the data.
• Regular security assessments and staff training to stay ahead of new vulnerabilities.

When it comes to involving other organizations, the GDPR is clear: using a sub-processor comes with strict rules. If we want to engage another party to help process the data, we must:

• Obtain the controller’s written authorization—either general or specific—before onboarding a sub-processor.
• Flow down the same security obligations from our contract with the controller to the sub-processor, including clear instructions and security provisions.
• Use Standard Contractual Clauses (SCCs) if transferring data to sub-processors located outside the EEA, to maintain an adequate level of protection.
• Maintain up-to-date records of processing activities, including all sub-processors, as part of our GDPR compliance documentation.

We’re also accountable for the actions of our sub-processors. If they fail to meet GDPR standards, we remain liable to the data controller. That’s why it’s best practice to perform due diligence, conduct regular audits, and insist on clear audit rights in all agreements with any sub-processor.

Keeping these obligations front and center helps us build trust with controllers, demonstrate compliance, and most importantly, protect the rights and freedoms of individuals whose data we handle.

Data Processing Agreement essentials

A Data Processing Agreement (DPA) is the cornerstone of a compliant relationship between a data controller and a data processor under the GDPR. This legally binding contract is not just a formality—it defines how personal data will be handled, protected, and processed on behalf of the data controller. Let’s unpack the essentials you should look for in any DPA to ensure you’re meeting your legal and ethical obligations.

Clear instructions and scope are non-negotiable. The DPA must outline the subject matter, duration, nature, and purpose of the processing. It should specify the types of personal data and categories of data subjects involved. This clarity helps both parties avoid misunderstandings and ensures that the processor only acts on documented instructions from the controller.

• Security Measures: The DPA must require that the data processor implements appropriate technical and organizational security measures. These safeguards protect personal data from unauthorized access, accidental loss, or disclosure. Think encryption, access controls, and regular security assessments.
• Sub-processors: If a data processor plans to engage another party (a sub-processor), the DPA must set out the process for obtaining prior written authorization from the controller. The agreement should require the processor to pass on the same data protection obligations to sub-processors, ensuring consistent security and accountability through the supply chain.
• Standard Contractual Clauses (SCCs): If personal data is transferred outside the EEA, the DPA should address the mechanisms for lawful cross-border data transfers, such as SCCs. This is essential for maintaining GDPR compliance when working with global partners.
• Records of Processing: The DPA needs to require that the processor keeps detailed records of processing activities carried out on behalf of the controller. This transparency is critical, especially if regulators come knocking or if there’s a data breach.
• Audit Rights: The agreement should grant the controller the right to audit—and request evidence of—the processor’s compliance with the DPA and GDPR. Regular audits help build trust and catch potential issues before they escalate into bigger problems.
• Return or Deletion of Data: Once the processing ends, the DPA should clarify whether personal data must be returned to the controller or deleted, unless EU law requires retention. This keeps everyone on the same page about what happens when the business relationship concludes.

DPAs also address cooperation obligations. The processor may be required to assist the controller with data subject requests, incident response, and regulatory investigations. This cooperative spirit is essential for fulfilling data subjects’ rights and maintaining compliance in a rapidly changing regulatory landscape.

Don’t overlook the importance of robust DPAs: They’re not only a legal requirement but a practical tool for building transparent, secure, and trustworthy data processing relationships. By ensuring your DPA covers these essentials, you’ll be well-equipped to navigate GDPR compliance with confidence and clarity.

International transfers and SCCs

International transfers and SCCs

When personal data moves beyond the borders of the European Economic Area (EEA), a data processor must navigate the complex requirements set by the GDPR. International data transfers introduce additional risks and obligations, so we need to take extra care to ensure compliance.

Standard Contractual Clauses (SCCs) are the GDPR’s primary tool for safeguarding data leaving the EEA. These are pre-approved legal contracts that bind both the data processor and any receiving party outside the EEA to uphold European data protection standards. If your organization acts as a data processor and uses sub-processors or service providers in countries lacking an EU adequacy decision, SCCs are likely required. Implementing SCCs is not optional—they are a legal necessity unless another adequate safeguard is in place.

Here’s what you should know and do regarding international transfers and SCCs:

• Follow the controller’s instructions: As a data processor, you must never transfer data internationally without explicit documented instructions from the data controller. These instructions should specify the scope, destination, and legal basis for the transfer.
• Update contracts and records: Whenever SCCs are used, include them as part of your Data Processing Agreement (DPA) with the controller and, if relevant, with any sub-processor. Always record details of international transfers as part of your records of processing, as required by Article 30 of the GDPR.
• Implement robust security measures: International transfers often increase risk, so review and update your technical and organizational security measures. This helps mitigate the potential impact of cross-border data breaches.
• Manage sub-processors carefully: If you engage a sub-processor outside the EEA, you must ensure that SCCs (or another transfer mechanism) are in place between your organization and the sub-processor. This must be approved by the data controller in advance.
• Be audit-ready: Both controllers and, in some cases, regulatory authorities may exercise audit rights to check that SCCs are correctly implemented and respected. Keep documentation organized and readily accessible to demonstrate compliance at any time.

In summary, every international data transfer must be justified and protected under the GDPR. Using SCCs is a practical way to demonstrate your commitment to data privacy, ensure the security of personal information, and avoid costly compliance failures. If you’re unsure about the requirements for a specific transfer, always consult your DPA and seek legal guidance to avoid unintended breaches.

Records and audits

Keeping accurate and comprehensive records is a fundamental obligation for every data processor under the GDPR. These records prove compliance and ensure transparency for both clients and regulators. Let’s break down what this means for your organization, and how you can meet these expectations confidently.

Records of processing activities (ROPA) are not optional for data processors. The GDPR and many national Data Protection Authorities (DPAs) require you to document all processing activities you perform on behalf of a data controller. At a minimum, your records should include:

• The name and contact details of your organization, and any sub-processors involved.
• The categories of processing activities you perform, along with a clear description of each.
• A list of the data controllers you work with, and where possible, their contact information.
• The categories of personal data and data subjects involved, as defined in your contract and instructions.
• Information on any international data transfers, including references to Standard Contractual Clauses (SCCs) or other safeguards you rely on.
• A summary of the security measures you have implemented to protect personal data as required by Article 32 GDPR.

Why are these records so important? Put simply, it’s about accountability. If a DPA requests information, or if a data controller wants to review your practices, having thorough records at your fingertips shows you’re taking your obligations seriously. This isn’t just about ticking boxes—it’s about building trust and reducing legal risks.

Audit rights are another cornerstone of GDPR compliance for data processors. Most data processing agreements grant the data controller the right to audit your operations or request third-party audits. These audits check whether you’re following their instructions, applying appropriate security measures, and properly managing sub-processors. Being audit-ready means:

• Keeping your records of processing up to date—don’t wait until an audit is announced to get organized.
• Documenting all instructions received from the data controller, including how and when they were implemented.
• Maintaining evidence of your security controls, such as access logs, encryption protocols, and incident response documentation.
• Recording any use of sub-processors, including contracts, DPA notifications, and documented approval from the controller.

Practical tip: Set up a regular internal review—quarterly or semi-annually—to ensure your records are current and your processes align with both GDPR and your contractual obligations. This proactive approach not only makes audits less stressful but also helps you spot gaps before they become issues.

Ultimately, robust record-keeping and openness to audits are not just regulatory requirements—they’re smart business practices. They protect your reputation, strengthen customer relationships, and create a culture of privacy-first thinking within your team. By staying audit-ready and keeping diligent records, we’re not just complying with the law—we’re raising the standard for responsible data processing.

Processor vs sub-processor

Understanding the distinction between a data processor and a sub-processor is vital for keeping your organization on the right side of GDPR compliance. While their roles may appear similar at first glance, the responsibilities and legal obligations differ—and getting this wrong can have serious consequences.

A data processor acts on documented instructions from the data controller, handling personal data on their behalf. This relationship is governed by a Data Processing Agreement (DPA) that details the nature of processing activities, security measures, and how instructions are managed. But what happens if a processor needs help from another party to deliver these services?

This is where the sub-processor enters the picture. A sub-processor is any third-party entity that a data processor engages to assist with processing activities covered by the original contract. For example, if you use a cloud hosting provider to store data you’re processing for a client, that provider becomes your sub-processor.

• Approval and transparency: Under the GDPR, a data processor cannot simply appoint a sub-processor without the controller’s prior written authorization. Controllers must always be informed and often have the right to object.
• Contractual obligations: The data processor must ensure that any sub-processor is bound by the same contractual commitments—especially regarding security measures, SCCs (Standard Contractual Clauses), and confidentiality—that exist between the processor and controller.
• Records of processing and audit rights: Both processors and sub-processors must keep detailed records of processing activities. Controllers may exercise audit rights not only over their processors but, through contractual flow-downs, over sub-processors as well.
• Security and risk management: It’s the processor’s responsibility to verify that each sub-processor implements adequate security measures to protect personal data. Any breach or failure at the sub-processor level can be just as damaging as one by the primary processor.

In practice, using a sub-processor shouldn’t be a shortcut to lessen your GDPR obligations—it actually adds layers of responsibility. Maintaining clear instructions, documenting processes, and ensuring all parties are contractually and technically aligned is non-negotiable.

We recommend that, before onboarding any sub-processor, you:

• Review and update your DPA to explicitly cover sub-processing arrangements
• Use SCCs for data transfers outside the EEA
• Audit sub-processors regularly to verify compliance with agreed security measures
• Keep your records of processing activities up to date, including details of all sub-processors

By understanding and respecting the fine line between processor and sub-processor, you not only strengthen your compliance posture but also build trust with your clients. In the end, well-managed data relationships are the foundation of responsible data stewardship under the GDPR.

At the heart of these responsibilities is compliance with strict legal requirements, such as following the GDPR, the DPA, and the specific instructions provided by the data controller. As a data processor, it’s crucial to implement robust security measures, keep comprehensive records of processing, and always obtain authorization before engaging any sub-processor. You must also be prepared to honor audit rights and, where appropriate, rely on SCCs to ensure data transfers remain lawful and secure.

Understanding these obligations isn't just about ticking boxes—it’s about building trust with your clients and the people whose data you process. Keeping communication open, documenting your actions, and responding swiftly to any data protection concerns will help you demonstrate accountability and compliance every step of the way.

The landscape of data protection is always evolving, but by staying informed and proactive, you can confidently fulfill your role as a data processor. Remember, your commitment to privacy and diligence in following the rules will set you apart as a reliable and ethical partner in the digital age.

FAQs

Can a processor decide purposes?

No, a data processor cannot decide the purposes for processing personal data under the GDPR. The data processor must strictly follow the documented instructions given by the data controller. It's the controller who determines both the "why" (purposes) and the "how" (means) of processing. Processors simply act on the controller’s behalf and never set their own objectives for using the data.

This separation of roles is central to GDPR compliance. If a processor starts deciding the purposes for data use, it risks being classified as a data controller, with much broader legal obligations. That's why contracts like the DPA (Data Processing Agreement) are essential – they clearly outline what the processor is allowed to do, including their responsibilities for security measures, managing sub-processors, adhering to SCCs (Standard Contractual Clauses), maintaining records of processing, and allowing for audit rights.

In summary: a data processor must always act under the controller's direction and never independently determine the reasons for data processing. This strict division helps ensure data protection, clarity, and trust for everyone involved.

When do we become a sub-processor?

We become a sub-processor when we process personal data on behalf of another data processor, rather than directly for the data controller, under the terms of a Data Processing Agreement (DPA). This usually happens when a data processor outsources part of their processing activities to us, following the instructions of the main controller.

Under the GDPR, our role as a sub-processor is tightly regulated. We must implement robust security measures, maintain detailed records of processing, and comply with any applicable SCCs (Standard Contractual Clauses) if data is transferred internationally. The main data processor is required to inform the controller and obtain their approval before engaging us as a sub-processor.

As a sub-processor, we are also subject to audit rights by both the data processor and, in some cases, the controller, ensuring we meet all contractual and legal obligations. It’s essential that our processing activities always align with the controller’s instructions, as set out in the DPA.

What must a DPA include?

A Data Processing Agreement (DPA) is a core requirement under the GDPR whenever a data controller engages a data processor. The DPA must clearly outline instructions from the controller to the processor, specifying how personal data should be processed and for what purposes. This ensures that the data processor only acts on documented instructions from the controller, preventing unauthorized or accidental data processing.

The DPA must also define the security measures that the data processor is required to implement. These measures should ensure an appropriate level of protection for personal data, addressing risks such as accidental or unlawful destruction, loss, or unauthorized disclosure. Including detailed security requirements helps both parties demonstrate GDPR compliance and safeguard data subjects’ rights.

Additionally, a compliant DPA needs to address the use of sub-processors, making it clear that the processor cannot engage another processor without the controller’s prior written authorization. It should also specify that contracts with sub-processors must include similar data protection obligations. When international transfers are involved, the DPA should reference mechanisms like Standard Contractual Clauses (SCCs) to ensure lawful data transfers.

Other essential elements include the requirement for the processor to maintain records of processing activities, grant the controller audit rights, and assist the controller in meeting GDPR obligations, such as responding to data subject requests. By covering these areas, a DPA helps build trust and transparency between controllers and processors, laying a strong foundation for data protection compliance.

Do processors need to conduct DPIAs?

Under the GDPR, the primary responsibility for conducting Data Protection Impact Assessments (DPIAs) falls on the data controller, not the data processor. The controller is the party that determines the purposes and means of processing personal data and therefore must assess and mitigate risks to data subjects’ rights.

However, data processors still play an important supporting role in the DPIA process. When instructed by the data controller, processors must provide all necessary information and expertise about the processing activities, including details about security measures, sub-processors, and any Standard Contractual Clauses (SCCs) in place. They are also required to maintain accurate records of processing and cooperate during any audit rights exercises.

In short, while processors do not initiate DPIAs themselves under the GDPR, they are legally required by the DPA (Data Processing Agreement) to assist controllers in fulfilling this obligation. Following clear instructions and maintaining robust security measures is vital for processors to remain compliant and to support controllers efficiently.