Data Processor

Data processor is responsible for processing consumer data in accordance with the data controller’s instructions.

What is a data processor?

Data processors act on behalf of, and only on the instructions of, the data controller.

A data processor is the company that processes data on behalf of a data controller. The data processor is not allowed to do anything with the personal data other than what is explicitly stated by the data controller. An example of a processor would be a software company delivering HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor.

Processors do not have the same obligations as controllers under the GDPR. However, as a processor you are also responsible for ensuring that you comply with the GDPR and demonstrate compliance with the GDPR data protection principles.

What are the duties of the data processor?

The duties of the data processors are specified by Article 28 of the GDPR. Among other things, the processors must:

  • Only process personal data on instructions from a controller,
  • enter into a binding contract with the controller,
  • only engage another processor (ie a subprocessor) with the controller’s prior authorisation,
  • implement appropriate technical and organisational measures to ensure the security of personal data,
  • notify the relevant controller without undue delay, if processor become aware of a data breach,
  • ensure that any transfer outside Europe is authorised by the controller and complies with the GDPR’s provisions on transfers.

Is your company a data processor?

These questions can help you determine whether your company is a data processor under GDPR:

  • We are following instructions from someone else regarding the processing of personal data.
  • We were given the personal data by a customer or similar third party, or told what data to collect.
  • We do not decide to collect personal data from individuals.
  • We do not decide what personal data should be collected from individuals.
  • We do not decide the lawful basis for the use of that data.
  • We do not decide what purpose or purposes the data will be used for.
  • We do not decide whether to disclose the data, or to whom.
  • We do not decide how long to retain the data.
  • We may make some decisions on how data is processed, but implement these decisions under a contract with someone else

Further reading

Not all third-parties are data processors. In cases where the third party processes user data for their own purposes, e.g. Facebook’s “like” widget, the third party is also considered to be a controller. Read more about the different GDPR roles.

Learn more about Privacy Hub →