Processor

A processor (Art. 4(8) GDPR) handles personal data on behalf of a controller, for example as a cloud provider, payroll service, newsletter dispatcher or external data centre. The decisive criterion is the absence of decision-making power over the purposes and means of the processing: whoever determines the 'why' and 'how' is the controller, while a party that merely executes on instructions is a processor. If, however, a service provider makes essential decisions of its own, it may become a controller in its own right or a joint controller.

The processor's obligations follow primarily from Articles 28 to 33 GDPR. It may act only on documented instructions from the controller, must ensure the confidentiality of the persons involved in the processing, and must implement appropriate technical and organisational measures under Art. 32 GDPR. Further sub-processors may be engaged only with authorisation, and the obligations must be passed on contractually. The processor assists the controller with data subject requests, breach notifications and data protection impact assessments, maintains its own record of processing activities under Art. 30(2) GDPR, and deletes or returns the data once the engagement ends.

The legal basis for this relationship is a data processing agreement (DPA) under Art. 28(3) GDPR containing the mandatory minimum content set out there. In terms of liability, the processor is not a mere tool: under Art. 82(2) GDPR it is liable to data subjects for damage where it has failed to comply with its specific processor obligations or has acted contrary to a lawful instruction. Infringements may additionally attract administrative fines under Art. 83 GDPR. If a processor exceeds its instructions and determines the purposes and means itself, it is considered a controller in respect of that processing under Art. 28(10) GDPR and bears full controller responsibility.