Compliance

Data Processor

Stands for: Data Processor (GDPR role)

A natural or legal person that processes personal data on behalf of a controller, only on documented instructions, under a binding GDPR Article 28 agreement.

Definition

The **Data Processor** is defined in GDPR Article 4(8) as any party that processes personal data on behalf of the controller. The processor's defining feature is constraint: it acts only on documented instructions from the controller under Article 29. Processing for the processor's own purposes converts the processor into a controller for that activity, with all the controller obligations attaching.\n\nArticle 28 sets out the mandatory content of the contract between controller and processor: subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, controller obligations and rights, and binding processor commitments on confidentiality, security, sub-processor authorisation, assistance with data-subject rights, breach notification, and audit rights.\n\nProcessors have direct GDPR obligations of their own (security under Article 32, records of processing under Article 30(2), breach notification to the controller under Article 33(2), DPO appointment under Article 37 where applicable, international transfer safeguards under Chapter V). Processors can be fined directly by supervisory authorities for breaches of these direct obligations.

When you'll encounter it

You will act as a processor when offering services to your customers: a SaaS that hosts customer data, a payroll bureau, a hosting provider, an email-sending tool. Your contracts with customers will include an Article 28 Data Processing Addendum (DPA), a sub-processor list, and Standard Contractual Clauses for any international transfers triggered by the service.

Used in our guides

FAQ

Can a processor use sub-processors?

Yes, but only with prior specific or general written authorisation from the controller under Article 28(2). The processor must impose the same data protection obligations on the sub-processor by contract, and remains fully liable to the controller for the sub-processor's performance.

What happens if a processor goes beyond instructions?

It becomes a controller for that processing under Article 28(10) and assumes the corresponding obligations. This is how cloud providers can become joint controllers when they use customer data for their own product analytics or model training without a clear lawful basis distinct from the original instruction.

Are Article 28 DPAs enough for international transfers?

No. International transfers from the EU/EEA to third countries also require an Article 46 transfer mechanism: Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision such as the EU-US Data Privacy Framework. The Article 28 DPA does not by itself satisfy Chapter V.

References

  1. GDPR Articles 28-29, 30(2), 32, 33(2), Regulation (EU) 2016/679 https://eur-lex.europa.eu/eli/reg/2016/679/oj
  2. EDPB Guidelines 07/2020 on the concepts of controller and processor https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
  3. EU Standard Contractual Clauses, Commission Decision 2021/914 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj