Data Processor

A data processor is an external company or person that processes personal data on your behalf. Think of your hosting provider, your payroll system or your newsletter platform. They all process data for which your organisation is the responsible party.

Back to Dictionary

What is a data processor?

Under GDPR Article 4(8), a data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. The key distinction is that the processor does not determine the purposes or means of processing — the controller does.

The processor relationship arises whenever your organisation engages an external party that handles personal data as part of the service it provides to you. This is an extremely common arrangement in modern business operations.

Typical data processors

Most organisations rely on numerous data processors. Common examples include:

Cloud and hosting providers: Infrastructure services that store or transmit your data (e.g. AWS, Azure, Google Cloud).
Payroll and HR systems: External platforms that process employee data on your behalf.
Email and newsletter services: Platforms that store contact lists and send communications.
CRM systems: Customer relationship management tools holding customer personal data.
IT support and managed services: External IT providers with access to your systems and data.
Recruitment platforms: Services that process candidate personal data during hiring.

Your obligations towards data processors

As the data controller, you bear the primary responsibility for ensuring that your processors handle personal data correctly. GDPR Article 28 sets out specific requirements:

Data processing agreement: You must have a written agreement with every processor, covering the scope, purpose and security measures of the processing.
Due diligence: Before engaging a processor, you must assess whether they can provide sufficient guarantees regarding data protection.
Security assessment: You must ensure the processor implements appropriate technical and organisational security measures.
Sub-processors: The processor may not engage another processor (sub-processor) without your prior written authorisation.
Audit rights: You must retain the right to audit or inspect the processor’s compliance.

Sub-processors

A sub-processor is a third party engaged by your data processor to carry out part of the processing. For example, your CRM provider may use a cloud hosting service to store the data. Your processor must inform you of any new sub-processors and give you the opportunity to object.

How many processors does a typical organisation have? Small and medium-sized enterprises typically have between 30 and 60 data processors. Larger organisations often have several hundred. Maintaining an up-to-date register of all processors is essential for GDPR compliance.

Frequently asked questions about data processors

Frequently Asked Questions about Data Processor

What is a data processor under GDPR?

A data processor is any external party that processes personal data on behalf of a data controller. The processor acts only on the controller’s instructions and does not determine the purposes or means of the processing.

What is the difference between a data controller and a data processor?

The data controller determines why and how personal data is processed, whilst the data processor carries out the processing on the controller’s behalf. The controller bears primary responsibility for compliance.

Do I need a data processing agreement with every processor?

Yes. GDPR Article 28 requires a written agreement with every data processor. The agreement must cover the subject matter, duration, nature and purpose of the processing, the types of personal data and categories of data subjects.

What is a sub-processor?

A sub-processor is a third party engaged by your data processor to perform part of the processing. Your processor must obtain your prior written authorisation before engaging any sub-processor.

How many data processors does a typical company have?

Small and medium-sized enterprises typically have between 30 and 60 data processors. It is important to maintain a complete and up-to-date register of all processors as part of your GDPR compliance programme.