Processor (Data Processor)

A natural or legal person, public authority, agency, or other body that processes personal data on behalf of a data controller, according to the controller's instructions. Under GDPR Article 4(8), processors have no independent authority to determine the purposes and means of processing—they act only as instructed by the controller. Common examples include cloud storage providers, payroll services, email service providers, analytics platforms, and marketing agencies. Processors have specific obligations: process only on documented instructions, ensure personnel confidentiality, implement appropriate security measures, engage sub-processors only with controller approval, assist with data subject rights requests and security incidents, delete or return data when services end, provide information necessary for demonstrating compliance, and allow for audits. The controller-processor distinction is crucial for determining legal responsibilities, though the line can blur when a processor makes certain decisions, potentially elevating them to controller or joint controller status. Processors face direct GDPR liability for violations.