A processor is an individual or an organisation that processes personal data on behalf of a controller. 

Processors operate according to the controller’s instructions and under its supervision.
The controller determines the purposes and means of processing personal data.

The term processor does not refer to a controller’s employees who process personal data as part of their jobs.

A processor can be, for example, a business, a self-employed individual, a public authority or a non-governmental organisation. Processors include an extremely wide range of service providers.

Job descriptions of processors

The job descriptions of processors can be strictly defined, such as in the case of outsourced postal deliveries. Some processors have broad and variegated job descriptions, and they can involve managing a service on behalf of another organisation, such as payroll services.

The regulations governing processors apply to the following service providers, among others:

  • IT service providers, software integrators, cyber security companies and IT consultancy businesses that have access to a controller’s personal data
  • Health care laboratories that process samples on behalf of a controller
  • Marketing and communications agencies that process personal data on behalf of their clients
  • More generally all organisations whose services include processing personal data on behalf of another organisation
  • Public authorities and non-governmental organisations can also be processors

Software publishers and system manufacturers, such as manufacturers of working hours monitoring systems, biometric devices and drug delivery devices, are not considered to be processors if they do not have access to personal data and do not process personal data.

Organisations can process personal data on behalf of another as processors. However, such organisations are considered to be controllers when they processes personal data for their own purposes and not on behalf of their clients. An organisation is deemed to be a controller, for example, when it processes its own staff’s personal data.

Processors can only process personal data for the purposes specified by the controller. Processors cannot begin to process personal data that they are meant to process on behalf of a controller for their own purposes by identifying purposes and means of processing.

Read more:

​​​​​​​​​​EDPB guidelines 07/2020 on the concepts of controller and processor in the GDPR (pdf)

​​​​​​​Standard contractual clauses for controllers and processors in the EU/EEA on the website of the European commission