Data Processor

The data processor, defined in Article 4(8) of the GDPR, is an entity that processes personal data on behalf of the data controller. Unlike the controller, the processor does not determine the purposes and means of processing; it acts only under the controller's instructions. Common examples include cloud service providers, payroll companies, and third-party analytics firms that handle personal data as instructed by their clients.

Article 28 of the GDPR establishes strict requirements for the relationship between controllers and processors. Controllers may only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. The processing must be governed by a binding contract or legal act (the "data processing agreement" or DPA) that sets out the subject-matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects.

Processors have direct obligations under the GDPR, including the duty to maintain records of processing activities carried out on behalf of controllers, implement appropriate security measures, notify the controller without undue delay upon becoming aware of a personal data breach, appoint a Data Protection Officer where required, and not engage sub-processors without the controller's prior authorisation. Processors can also face direct administrative fines and liability for damages.

The distinction between controller and processor has significant practical implications. An entity that acts beyond the controller's instructions (for example, by using the data for its own purposes) may be deemed a controller for that processing, with all the attendant obligations and liabilities. This is particularly relevant in the context of AI and machine learning, where processors handling training data must be careful not to cross the line into controllership.