Data Processor

A data processor is any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Unlike controllers, processors do not determine the purposes and means of processing — they act on the controller's instructions. Common examples include: cloud service providers, payroll companies, email marketing platforms, and CRM providers. Under GDPR, processors must: process data only on documented instructions from the controller, ensure personnel are bound by confidentiality, implement appropriate security measures, assist the controller with DSRs and DPIAs, delete or return data upon termination, and make information available for audits. A Data Processing Agreement (DPA) must be in place between controller and processor.