What is a Data Processor and Their Responsibilities Under the GDPR

In the GDPR data processing landscape, most online businesses hold an important role as data processors. Your mission is to execute specific instructions while abstaining from taking on the primary decision-making responsibilities associated with personal data usage.

This article will explain the core responsibilities and legal obligations that fall on the shoulders of data processors, which include, among other things, following provided instructions, enhancing security measures, and promptly reporting any data breaches.

It’ll also help you determine if your business falls under the definition of a data processor. Let’s start.

  • Data processors handle personal data on a data controller’s behest, ensuring data security and maintaining processing records, without making decisions on data’s purpose or use.
  • They are tasked with implementing security measures, promptly notifying controllers about data breaches, and assisting in upholding data subjects’ rights under GDPR.
  • Non-compliance with GDPR obligations can lead to severe penalties for data processors, emphasizing their key role and accountability in data protection.

PRO TIP: Take the hassle of writing your own privacy policy away with our privacy policy generator trusted by over 200,000 businesses. It’ll save you hours of work and possible costly legal mistakes.

What Is a Data Processor Under the GDPR?

A data processor is an entity that processes personal data on behalf of a data controller. Unlike the data controller, who determines the purposes and means of processing personal data, the processor is primarily responsible for handling the data as per the controller’s instructions.

This processing must be governed by a contract that sets out the processor’s duties, which are substantial but do not include decision-making regarding the data’s purpose or use — that’s the controller’s responsibility.

For instance, a marketing firm analyzing customer data for a retailer or a cloud provider hosting data for various businesses would be considered processors.

They must ensure data security, maintain processing records, and can only engage sub-processors with the controller’s consent.

If a data processor breaches the GDPR obligations or the controller’s directions, they can be held liable, emphasizing the weight of their role in the data protection framework.

What Are the Responsibilities of a Data Processor?

Data processors carry a significant burden of responsibility to ensure compliance. From acting on the data controller’s precise directives to protecting data subject rights, their role is integral to the data protection landscape.

Here are five key responsibilities that every data processor under the GDPR must fulfill:

1. Following Data Controller’s Instructions

A data processor’s adherence to the data controller’s commands is a cornerstone of GDPR compliance. Processors are tasked to handle data exclusively as instructed by the controller, who defines the purpose and context of the processing.

This strict compliance avoids unauthorized data usage and shields the processor from inadvertently assuming the role and associated liabilities of the data controller.

Stepping outside these boundaries not only breaches the GDPR but also threatens the integrity and trust essential to the controller-processor relationship.

2. Implementing Security Measures

Data processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Not that this is not the same as customers’ data privacy.

This includes protecting data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

This responsibility could involve encryption, ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

3. Reporting Data Breaches

Data processors must promptly notify their data controllers in the case of a data breach.

The GDPR mandates that this notification must occur without undue delay, ensuring that the controller has the maximum possible time to take corrective actions.

This rapid response is vital to mitigate any potential damage and to comply with the controller’s obligation to report to the appropriate regulatory body within 72 hours of becoming aware of the breach.

A processor’s swift action in the face of a data breach is not just a regulatory requirement but a fundamental component of the trust placed in them by data controllers and data subjects alike.

4. Maintaining Records of Processing Activities

Processors must keep detailed records of all categories of processing activities carried out on behalf of a controller.

These records must include information such as the purposes of processing and a description of the categories of data subjects and personal data, which are essential for demonstrating compliance with GDPR.

5. Data Subject Rights

Data processors must assist data controllers in upholding the rights of data subjects under the GDPR. This includes responding to requests for data access, rectification, erasure, and portability.

When a data subject exercises their rights, it’s the processor’s duty to ensure their infrastructure and operations can fulfill these requests in a timely manner.

It requires processors to have efficient processes in place to accommodate the data subjects’ rights without delay, thus reinforcing the regulation’s person-centric approach to data privacy.

Here’s a handy infographic of a data processor’s responsibilities under the GDPR:

Infographic of key responsibilities of a GDPR data processor

What Is a Data Sub-Processor?

A data sub-processor is an entity that is contracted by a data processor to perform specific tasks related to personal data on behalf of the data controller.

As a data controller, you essentially entrust a processor with certain data responsibilities, and that processor may, in turn, delegate some of these tasks to a sub-processor.

For instance, if you’re operating an online platform, you may use a cloud service provider to handle your data storage — that provider is your processor.

Now, if the cloud service provider uses another company to maintain the servers, that company becomes your sub-processor.

This chain of data handling must be transparent and compliant with data protection regulations like the GDPR.

You should be aware that while sub-processors are a step removed from you, their compliance with data protection laws is still your responsibility.

Differences Between Data Processors and Controllers

Data processors and data controllers are 2 distinct roles defined under the GDPR.

A data controller determines the purposes and means of processing personal data, essentially deciding “why” and “how” data should be processed. They hold the primary responsibility for the data, including its protection and the respect of data subjects’ rights.

In contrast, a data processor is an entity that processes personal data on behalf of the controller, following the controller’s instructions. They do not own the data nor decide on the processing activities, except within the boundaries set by the controller.

Controllers are typically the organizations that collect data directly from data subjects, such as online retailers or social media platforms.

Processors are usually third parties that handle data processing tasks like cloud storage providers or analytics firms. Processors have less autonomy but must adhere to strict guidelines laid out by the controller and are also subject to GDPR obligations.

They must ensure the security of the data and can be held liable if they fail to meet GDPR standards or follow the controller’s instructions.

Data Processors’ Legal Obligations and Penalties

Data processors face significant legal implications if they fail to comply with their obligations. They are directly accountable for implementing appropriate technical and organizational measures to ensure data processing adheres to GDPR requirements.

Processors must only act on the documented instructions of the data controller and assist controllers in fulfilling their GDPR obligations concerning the rights of data subjects.

If a data processor violates these obligations, for instance, by not securing data adequately, it can lead to severe penalties including fines up to 4% of annual global turnover or €20 million, whichever is higher. They may also be liable for damages to data subjects.

PRO TIP: Processors also have specific responsibilities in the event of a data breach, such as notifying the controller without undue delay after becoming aware of it.

Who Is Considered a Data Processor?

 Let’s look at some common examples of data processors and their functions:

Cloud Service Providers

Companies like Amazon Web Services (AWS) or Google Cloud Platform serve as data processors when they store and manage data for other businesses.

They ensure that your data is available, scalable, and secure. However, they act on your instructions; you control the data and decide how it should be used.

Payment Processors

Services like PayPal or Stripe process financial transactions for e-commerce sites. They handle sensitive financial data, executing the transactional processing from the customer to you, the merchant.

While doing so, they must protect this data in accordance with PCI DSS and other relevant data security standards.

Email Marketing Services

Platforms such as Mailchimp process contact lists and send out emails on behalf of a company. They track interaction data like opens and clicks, providing valuable analytics. They handle the data but don’t decide on the campaign’s content or strategy.

Analytics Services

Tools like Google Analytics collect and analyze website visitor data, helping you understand user behavior. They process massive amounts of data but operate under the parameters set by the website operator.

Is Your Business a Data Processor?

To determine if your business is a data processor, you need to assess your data handling activities. As a data processor, you would be managing personal data on behalf of another entity, known as the data controller.

This means that you do not own the data but process it according to the instructions provided by the controller. Your operations might include data storage, analysis, destruction, and other technical tasks.

If your activities involve handling data at the direction of your clients and you have no say in why or how the data is processed, you likely stand as a processor.

As a processor, you must implement appropriate security measures, report data breaches in a timely manner, and ensure the legality of your processing activities. Failing to comply can lead to significant penalties.

PRO TIP: It’s important to understand this role because it defines your obligations under data protection laws.

Data Processor Self-Assessment Questionnaire

As I mentioned, understanding your role is vital because it dictates the scope of your legal responsibilities and the measures you need to take to ensure compliance with data protection laws.

Answering “yes” to most of the questions below suggests that you are functioning as a data processor.

  1. Do you handle personal data on behalf of other businesses?
  2. Are your data-related activities and purposes dictated by your clients?
  3. Do you have written contracts with these entities outlining your data processing responsibilities?
  4. Are you prohibited from using the data you process for your own purposes?
  5. Do you provide data processing services that are integral to your client’s offerings?
  6. Are you required to follow specific instructions from your clients regarding the handling of personal data?
  7. Do you take technical and organizational measures to ensure data protection compliance?
  8. In the event of a data breach, is your protocol to inform your clients rather than the data subjects directly?

Best Practices for Data Processors to Ensure GDPR Compliance

Consider these best practices below to ensure compliance and protect your users’ data effectively:

Data Security

Investing in robust security measures is a cornerstone of GDPR compliance. This means employing state-of-the-art technologies to secure personal data against unauthorized access, disclosure, alteration, and destruction.

Such measures include strong encryption, firewalls, anti-malware tools, and secure data storage solutions.


Keeping thorough records is also essential. This isn’t just about logging what data you collect and process; it’s about tracking the lifecycle of personal data, including how and when consent was obtained, how the data is used, and how you respond to data breaches.

Good documentation not only proves compliance but also acts as a guidepost for your data protection policies.


As a data processor, you must ensure open and clear communication with data controllers. Be prepared to provide detailed accounts of data processing activities and to respond promptly to data subject access requests.

Employee Training

Your employees should be well-versed in GDPR mandates and understand their role in protecting personal data.

Training should cover the fundamentals of data protection, the specifics of GDPR, and the importance of their adherence to your organization’s data protection policies.

Regular training sessions ensure that employees remain aware of their responsibilities and the consequences of non-compliance.

Regular Audits

Conducting regular audits helps ensure continuous compliance with GDPR. These audits should scrutinize your data processing activities, security measures, documentation, and adherence to the rights of data subjects.

Audits can uncover gaps in your data protection framework and prompt timely remediation, thereby minimizing the risk of non-compliance.

Data Impact Assessments

Before introducing new processes or technologies that handle personal data, conducting a data protection impact assessment is prudent.

These assessments evaluate how the new activities affect the security and privacy of personal data and whether they adhere to GDPR requirements.

Frequently Asked Questions

What is a data processor under GDPR?

A data processor manages personal data as directed by a data controller, ensuring data security and process recording without deciding on the data’s purpose or use.

What are the main responsibilities of a data processor?

Implementing security measures, notifying controllers of data breaches promptly, and aiding in upholding data subjects’ rights under GDPR are key responsibilities.

How are data processors and controllers different?

Controllers decide the “why” and “how” of data processing, while processors handle data based on controllers’ instructions, without decision-making authority.

What happens if a data processor breaches GDPR obligations?

Breaching GDPR obligations can lead to severe penalties for data processors, including fines and legal liabilities, emphasizing their crucial role in data protection.

Are data processors liable for data breaches?

Yes, data processors are liable and must notify data controllers promptly in the event of a data breach to help mitigate potential damages and ensure GDPR compliance.

How can a business determine if it’s a data processor?

Assess if you manage personal data on behalf of others, following their instructions without deciding on data processing activities; this indicates a data processor role.

Andreea Mare
Andrea is a data protection and privacy specialist with many years of education and expertise in this area of law. She helps clients by ensuring compliance is reached on all levels while taking into account the legal requirements and their business' needs.