What is a data processor?

According to Chapter 1, Art. 4.8 of the GDPR, a data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In some cases, the data processor can also be a data controller. 

What are the responsibilities of a data processor?

A data processor’s responsibilities revolve mainly around meeting the requirements of the data controller and maintaining the privacy and security of the data subject. The GDPR outlines several key responsibilities and roles of a data processor. These include:

• Handling and processing personal data solely based on the instructions of the data controller, except when mandated by Union or Member State law;
• Putting in place suitable technical and organizational precautions, such as pseudonymization and encryption, to maintain the privacy and security of personal data;
• Help the data controller in addressing requests exercising the data subject’s rights;
• Either erase or return all personal data to the controller once the service related to processing is concluded;
• Maintaining data confidentiality and not including another processor unless instructed by the data controller;
• Providing the controller with all essential information to demonstrate GDPR compliance, including facilitating and contributing to audits.

GDPR processor vs controller 

The data controller is in charge of the procedures and purpose of data processing and is responsible for ensuring they are GDPR-compliant. The data processor is only responsible for carrying out the processing according to the controller’s needs and instructions. 

In some cases, there can be an overlap between the two. This can happen when an organization or business collects and processes personal data for its own purposes but also uses that same data to provide specific services or functions. 

If, for example, a social media platform is responsible for determining the features, functionalities, and purposes of collecting and processing personal information such as user profiles, posts, and messages, then the role of the company is that of a data controller. If a user wants to download their own data or manage their account settings, for instance, and the platform processes the user’s data according to their explicit request without making independent decisions about how that data is used, then the company is also a data processor.

FAQ