Processors
A processor is an individual or an organisation that processes personal data on behalf of a controller.
The controller determines the purposes and means of processing personal data.
A processor can be, for example, a business, a self-employed individual, a public authority or a non-governmental organisation. Processors include an extremely wide range of service providers.
The term processor does not refer to a controller’s employees who process personal data as part of their jobs.
Job descriptions of processors
The job descriptions of processors can be strictly defined, such as in the case of outsourced postal deliveries. Some processors have broad and variegated job descriptions, and they can involve managing a service on behalf of another organisation, such as payroll services.
The regulations governing processors apply to the following service providers, among others:
- IT service providers, software integrators, cyber security companies and IT consultancy businesses that have access to a controller’s personal data
- Health care laboratories that process samples on behalf of a controller
- Marketing and communications agencies that process personal data on behalf of their clients
- More generally all organisations whose services include processing personal data on behalf of another organisation
- Public authorities and non-governmental organisations can also be processors
Software publishers and system manufacturers, such as manufacturers of working hours monitoring systems, biometric devices and drug delivery devices, are not considered to be processors if they do not have access to personal data and do not process personal data.
Organisations can process personal data on behalf of another as processors. However, such organisations are considered to be controllers when they processes personal data for their own purposes and not on behalf of their clients. An organisation is deemed to be a controller, for example, when it processes its own staff’s personal data.
Processors can only process personal data for the purposes specified by the controller. Processors cannot begin to process personal data that they are meant to process on behalf of a controller for their own purposes.
The processing of personal data carried out by the processor must be specified in a personal data processing agreement or other legal document. The absence of an agreement is in breach of the provisions of the GDPR.
Business A delivers marketing letters based on a customer information register of businesses B and C.
Business A is a processor in respect of businesses B and C, if it processes the customer information required for posting the letters on behalf of businesses B and C and according to their instructions.
Businesses B and C are controllers in respect of their customers’ personal data, including the delivery of the marketing letters.
Business A is a controller in respect of the personal data of its own employees and the personal data of its clients’ (B and C) contact persons.
Read more:
EDPB guidelines 07/2020 on the concepts of controller and processor in the GDPR (pdf)
Standard contractual clauses for controllers and processors in the EU/EEA on the website of the European commission