What is a Data Processor? GDPR Definition & Obligations

Data Processor

A data processor is an entity that processes personal data on behalf of a data controller, following the controller's documented instructions. Processors include cloud providers, payroll services, email platforms, and any third party handling data for another organization.

GDPRprivacyprocessorArticle 28DPA

Why It Matters

The distinction between controller and processor determines who is responsible for what under GDPR. Processors have fewer obligations than controllers, but they are not exempt — GDPR introduced direct obligations and potential fines for processors. Organizations that process data for clients (SaaS companies, cloud providers, agencies) must understand their processor obligations.

Processor Obligations Under GDPR

Data processors must:

Only process data according to the controller's documented instructions — going beyond these instructions makes the processor a controller for that processing
Ensure confidentiality — staff must be under obligations of confidentiality
Implement appropriate security measures — encryption, access controls, regular testing
Not engage sub-processors without prior authorization from the controller (general or specific)
Assist the controller with data subject requests, DPIAs, breach notification, and audits
Delete or return data when the processing relationship ends
Maintain records of processing activities (Article 30(2))
Notify the controller without undue delay after becoming aware of a data breach

The Data Processing Agreement (DPA)

GDPR Article 28 requires a binding contract between controller and processor. The DPA must specify:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Controller's obligations and rights
Security measures
Sub-processor approval process
Audit rights
Data deletion or return upon termination

Sub-Processors

When a processor engages another processor (a sub-processor), they need the controller's authorization. The processor remains fully liable to the controller for the sub-processor's performance. Sub-processor chains are common in cloud computing — for example, a SaaS provider using AWS for hosting and Stripe for payments.

Key Regulation

GDPR Article 4(8) — definition of processor
GDPR Article 28 — processor obligations and DPA requirements
GDPR Article 30(2) — processor records of processing
GDPR Article 82 — processor liability for damages

Data Processor

GDPRprivacyprocessorArticle 28DPA

Data Processor

Why It Matters

Processor Obligations Under GDPR

The Data Processing Agreement (DPA)

Sub-Processors

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?

Data Processor

Why It Matters

Processor Obligations Under GDPR

The Data Processing Agreement (DPA)

Sub-Processors

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?