Third-Party Processor

An entity that processes personal data on behalf of a data controller but is not the controller's direct service provider, requiring chain-of-processing arrangements. This commonly occurs when primary processors (like SaaS platforms) engage subprocessors (like cloud hosting providers) to perform specific processing activities. Under GDPR Article 28, processors must obtain controller authorization before engaging sub-processors, and sub-processors must agree to the same data protection obligations as the primary processor through written contracts. The primary processor remains liable to the controller for the sub-processor's performance. Organizations acting as controllers should: require processors to disclose sub-processor relationships, reserve approval rights or objection mechanisms for sub-processor changes, ensure data processing agreements address sub-processor requirements, conduct due diligence on material sub-processors' practices, and understand the full processing chain. As data flows through multiple parties, risk increases—each additional processor creates potential security vulnerabilities and compliance gaps.