Data Processor
Definition
A data processor is an entity, agency, or third-party service provider that processes personal data on behalf of a data controller. Unlike the controller, who determines the why and how of processing, the data processor meaning is defined by its role as an agent acting strictly under documented instructions. Data processor responsibilities are established primarily through a binding contract or data processing agreement. These obligations include implementing robust technical and organizational security measures to protect data, ensuring confidentiality, and assisting the controller with compliance tasks such as responding to the individual or data subject requests and reporting breaches. While they do not own the data, processor compliance is critical for maintaining the integrity of the supply chain and ensuring that privacy and security requirements are met during outsourcing activities.
Real-World Examples
Cloud Service Provider
A startup uses a cloud hosting company to store its customer database. The startup (controller) decides what data to collect and how long to keep it. The cloud provider acts as the data processor, storing and computing the data on its servers strictly according to the startup's configuration and the service agreement, without using the data for its own purposes.
Payroll Outsourcing
A company engages an external agency to manage monthly salary disbursements. The company provides employee details and bank account numbers. The agency, serving as the data processor, calculates taxes and transfers funds based on these instructions. They are contractually bound to secure the financial data and return or delete it at the end of the service relationship, as agreed.
A data processor is any person, public authority, agency, or other body that processes personal data on behalf of a data controller. Their role is limited to handling data according to the instructions provided by the controller, rather than determining the purpose or means of processing themselves.
Processor obligations typically include processing data only on written instructions, ensuring the confidentiality of the data, taking appropriate security measures, returning or deleting data at the end of the service, and assisting the controller with audits, breach notifications, and the individual or data subject rights requests.
The main difference lies in decision-making power. The data controller determines the purposes and means of processing (the why and how), whereas the data processor acts solely on behalf of the controller. The controller bears primary accountability for the lawful processing of the data.
A data processing agreement should detail the subject matter, duration, nature, and purpose of processing, the type of personal data, and the categories of the individual or data subject. It should also set out the processor's duties regarding security, confidentiality, sub-processing, and the rights and obligations of the controller.
A data processor can usually engage sub-processors only with the prior specific or general written authorization of the data controller. If allowed, the processor must impose the same data protection obligations on the sub-processor as are set out in the contract between the controller and the processor.
A data processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This can include encryption, pseudonymization where appropriate, ensuring the confidentiality, integrity, availability, and resilience of systems, and having the ability to restore data access in the event of a physical or technical incident.
Processor liability varies by jurisdiction and contract terms but commonly includes contractual liability to the data controller for failing to follow instructions or causing a breach. Depending on the applicable rules, processors may also face direct regulatory enforcement for failing to meet obligations such as security requirements or record-keeping.
To audit a data processor, the data controller should exercise the audit rights defined in the contract. This can involve reviewing the processor's independent assurance reports or certifications, inspecting relevant records of processing activities, and conducting assessments or third-party audits to verify adherence to agreed security and privacy controls. Many organizations manage this through a structured vendor review workflow (e.g., WatchDog Security's Vendor Risk Management) to centralize evidence like security questionnaires, DPAs, assurance reports, and re-assessment schedules.
References & Resources
The Ultimate Guide to Vendor Security Management in 2025
WatchDog Security
Regulation (EU) 2016/679 (GDPR) — Article 28 (Processor)
EUR-Lex (European Union)
The Digital Personal Data Protection Act, 2023 — Section 2(k) (Definition of Data Processor)
Ministry of Electronics and Information Technology (MeitY), Government of India
Contracts and liabilities between controllers and processors (ICO Guidance)
Information Commissioner's Office (ICO)
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
