What Is a Data Processor? A Beginner’s Guide with Examples and GDPR Basics

Data Processor Definition

A data processor is any organization or individual that performs Personal Data Processing on behalf of a data controller. Processors do not decide why personal data is used; they execute tasks under the controller’s documented instructions as part of GDPR Compliance.

Key characteristics of a data processor:

• Acts only on the controller’s documented instructions and within a defined purpose and scope.
• Implements appropriate Technical and Organizational Measures to protect personal data.
• May engage another processor (a sub-processor) only with Sub-Processor Authorization from the controller.
• Maintains Processing Activity Records and helps the controller meet GDPR obligations.

Employees of a controller are not processors; processors are typically separate service providers that handle data as part of a contract.

Data Processor Examples

Common real‑world data processors include:

• Cloud hosting and storage providers managing customer databases.
• Email delivery and marketing automation platforms sending campaigns for clients.
• Payment gateways processing transactions for an online store.
• Payroll and benefits vendors calculating salaries and administering benefits.
• IT support and managed service providers with maintenance access to systems.
• Customer support outsourcers handling tickets containing personal information.
• Analytics, A/B testing, and fraud‑detection services processing behavioral data.
• Document scanning, shredding, or archiving firms handling records containing personal data.
• Identity verification and e‑signature providers validating users and agreements.

Data Processor Responsibilities

As a processor, you must operate securely, transparently, and strictly within your mandate. Core responsibilities include:

• Follow the controller’s documented instructions and challenge any unlawful directives.
• Adopt risk‑appropriate Technical and Organizational Measures (for example, encryption, access controls, and secure development practices).
• Keep data confidential and ensure staff and contractors are bound by confidentiality obligations.
• Obtain Sub-Processor Authorization before engaging third parties and flow down identical protections.
• Maintain Processing Activity Records that describe what you process, for whom, and how.
• Assist the controller with Data Protection by Design, privacy impact assessments, and data subject requests.
• Provide prompt Data Breach Notification to the controller after becoming aware of an incident.
• Delete or return data at the end of the service and enable audits that verify GDPR Compliance.

Data Controller vs Data Processor

The controller determines the “why” and “how” of processing; the processor performs the work. Understanding the split helps you assign duties correctly.

• Decision‑making: Controllers choose purposes and key means; processors choose only the practical means needed to deliver the service securely.
• Relationship: Controllers instruct; processors fulfill those instructions under contract.
• Examples: An online retailer (controller) uses a cloud email service (processor) to send purchase confirmations the retailer defines.
• Role changes: The same company can be a controller for its HR data and a processor for its clients’ data.

Data Processor Obligations under GDPR

Process only on documented instructions

Work within the subject matter, duration, nature, and purpose agreed with the controller. Escalate any ambiguous or unlawful instruction before acting.

Implement Technical and Organizational Measures

Design and maintain layered safeguards proportionate to the risks. Typical measures include encryption at rest and in transit, least‑privilege access, key management, logging and monitoring, secure software development, vendor due diligence, and tested incident response procedures.

Maintain Processing Activity Records

Keep up‑to‑date records describing the categories of processing you perform, the controllers you serve, international transfers, retention timeframes, and a general description of your security controls. These records help demonstrate GDPR Compliance to supervisory authorities.

Manage sub‑processors with care

Engage sub‑processors only with prior Sub-Processor Authorization (specific or general). Contractually impose equivalent obligations, monitor their performance, and remain fully liable to the controller for their actions.

Assist with rights and Data Protection by Design

Support the controller’s responses to access, rectification, deletion, and portability requests. Offer technical options that enable Data Protection by Design, such as data minimization, pseudonymization, and configurable retention settings.

Provide timely Data Breach Notification

Notify the controller without undue delay after becoming aware of a personal data breach, sharing facts known, likely impacts, and mitigation steps. The controller is responsible for notifying authorities and individuals unless it instructs you otherwise.

Support lawful data transfers

Process personal data only in approved locations and under valid transfer mechanisms as instructed by the controller. Be transparent about sub‑processor locations and flow‑down safeguards.

Demonstrate compliance

Make information available for audits, cooperate with supervisory authorities, and continuously improve controls to keep pace with changing risks and services.

Data Processor Liability

Processors can be directly liable for failing to meet GDPR duties and may face compensation claims from individuals for damage caused by non‑compliance. Liability can be joint with the controller where both contributed to harm.

• Regulatory exposure: Supervisory authorities can impose significant administrative fines for security, confidentiality, record‑keeping, and cooperation failures.
• Contractual exposure: Indemnities, service credits, and termination rights often flow from breach of processor obligations.
• Sub‑processor risk: You remain liable to the controller for sub‑processors, so monitor their security and compliance rigorously.
• Mitigation: Strong Technical and Organizational Measures, rapid incident response, and clear documentation reduce liability.

Data Processor Contractual Requirements

The controller–processor agreement (often called a Data Processing Agreement, or DPA) should specify at least the following:

• Subject matter, duration, nature, and purpose of processing.
• Types of personal data and categories of data subjects involved.
• Processing only on documented instructions, including rules for international transfers.
• Confidentiality obligations for personnel with access to personal data.
• Appropriate Technical and Organizational Measures describing how you protect data.
• Sub-Processor Authorization requirements and the obligation to flow down equivalent terms.
• Assistance with data subject rights, Data Protection by Design, and risk assessments.
• Data Breach Notification timelines and cooperation expectations.
• Processing Activity Records, audit rights, and information needed to demonstrate GDPR Compliance.
• Return or deletion of personal data at contract end and secure disposal standards.

In practice, you should map data flows, maintain accurate records, review security regularly, and communicate early with controllers to prevent scope creep or unlawful instructions.

FAQs.

What is the difference between a data processor and a data controller?

A data controller decides why and how personal data is processed, sets the purposes, and instructs others. A data processor carries out Personal Data Processing for the controller, using appropriate safeguards and staying strictly within the controller’s documented instructions.

What are the main responsibilities of a data processor?

Follow documented instructions, implement proportionate Technical and Organizational Measures, maintain Processing Activity Records, obtain Sub-Processor Authorization, assist with data subject rights and Data Protection by Design, provide prompt Data Breach Notification to the controller, enable audits, and securely delete or return data when services end.

How must a data processor handle data breaches?

Upon becoming aware of a personal data breach, notify the controller without undue delay, provide known details and mitigation steps, cooperate with containment and investigation, and implement corrective actions. The controller decides whether to notify authorities or affected individuals and may instruct you to assist.