Data processor is responsible for processing consumer data in accordance with the data controller’s instructions.
Data processors act on behalf of, and only on the instructions of, the data controller.
A data processor is the company that processes data on behalf of a data controller. The data processor is not allowed to do anything with the personal data other than what is explicitly stated by the data controller. An example of a processor would be a software company delivering HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor.
Processors do not have the same obligations as controllers under the GDPR. However, as a processor you are also responsible for ensuring that you comply with the GDPR and demonstrate compliance with the GDPR data protection principles.
The duties of the data processors are specified by Article 28 of the GDPR. Among other things, the processors must:
These questions can help you determine whether your company is a data processor under GDPR:
Not all third-parties are data processors. In cases where the third party processes user data for their own purposes, e.g. Facebook’s “like” widget, the third party is also considered to be a controller. Read more about the different GDPR roles.