Data Processor Defined

Data Processors – Definition and Description

What Is a Data Processor?

The data processor only processes identifiable personal data on behalf of the data controller. The data processor is usually a third party that is external to the company.

In a contract or another legal act, the duties of the processor towards the controller must be specified, such as letting data controllers know what happens with personal data once a private contract is terminated.

Data processors include machines that perform operations on data, such as calculators or computers, and now cloud service providers can be labelled as data processors.

A third-party data processor doesn’t own or control the data they process. The data processor can’t change the purpose of the data or how it’s used.

What Duties Do Data Processors Have?

Data processors carry out various data processing tasks for a business, such as storing data, retrieving data, running the payroll, marketing activities, or providing security for data.

Want a 77% head start on ISO 27001 certification?

What Does Data Processor Mean?

Processing defines any operation or set of operations performed on personal data or sets of individual private data, whether by automated means or not, such as gathering, recording, organisation, structuring, storage, adaptation or alteration, consultation, use, disclosure by transmission, dissemination.

In the General Data Protection Regulation, the controller and the data processor have similar responsibilities, and under the GDPR are also adhering to similar principles. Compared with the predecessor of GDPR, there is not that much change regarding what a data processor is.

Data processors need to assist controllers in certain circumstances, for example, in a potential personal data breach notification or considering a Data Protection Impact Assessment (DPIA).


Examples of Data Processors

The controller of your organisation’s HR department has methods to process the personal data of applicants and employees that need to be protected. It’s possible that some of the HR data processing data activities could be done by a third party. A processor is a company that you will be outsourcing to.

Your marketing team processes personal data of potential customers and existing customers. The latter are processors when it works with an email marketing company or agency that uses these data for campaigns.

When you want a potential customer to dial into a specific number in the scope of a campaign on TV, and so on, you may have outsourced the inbound contact centre activities of your organisation or used a call centre.

The data subjects are the people who call in, and the contact centre becomes the processor.

The processor never owns the personal data. The controller doesn’t own the personal data of his customers, prospects, employees, or anyone else. The natural person owns the personal data.

What Is a Sub-Processor?

If a processor uses a sub-processor to help assist the process of personal data for a controller, your data processor needs to have a written contract with that sub-processor. A sub-processor usually is another organisation.

What should be included in the contract:

  • The processing subject matter.
  • The amount of time that the processing takes.
  • The purpose of the processing and nature of the process.
  • The types of data involved.
  • The data subjects categories.
  • The controller’s responsibilities and rights.

The contract or other legal act can include terms or clauses, such as:

  • Unless the law requires it, the controller’s documented instructions are the only instructions the processor must act on.
  • The processor must ensure that the people processing the data are subject to a duty of confidentiality.
  • Appropriate measures need to be taken to ensure the security of the processing.
  • Under a written contract, the processor must only engage a sub-processor with the controller’s prior approval.
  • Appropriate measures must be taken to help the controller respond to requests from individuals to exercise their rights.
  • The data controller needs the help of the processor in meeting its obligations concerning security of processing, declaration of personal data breaches and data protection impact assessments.
  • At the end of the contract, the processor must return all personal data to the controller. If the law requires it, the processor must also destroy existing personal data unless stated explicitly that data needs to be held in storage.
  • The processor is required to submit audits and inspections. The processor needs to give the controller all the information to ensure they meet their obligations in line with their GDPR Article 28 obligations.

Want a 77% head start on ISO 27001 certification?

GDPR Compliance and Data Processors

Data Processor Personal Responsibilities

For example, there are a lot of employees at the brewery. The company signs a contract with a payroll company to pay wages.

When an employee has a pay rise or leaves, the brewery tells the payroll company when the wages should or shouldn’t be paid.

The brewery will be the data controller, and the payroll company will be the data processor.

Are you a data processor?

  • You are following instructions on how to process personal data.
  • You were told what data to collect by either the customer or a third party.
  • You don’t decide to collect personal data from individuals.
  • You don’t have a say in what personal data is collected from individuals.
  • You don’t decide the lawful basis for the use of that data.
  • You don’t decide what purpose the data will be used for.
  • You don’t decide if the data should be disclosed or to whom.
  • You don’t have a decision on how long to retain the data.
  • You can make some decisions on how data is processed, but only if you have a contract with someone else.
  • The end result of the processing isn’t something you are interested in.

It’s Important to Understand Your Role in GDPR Compliance

The General Data Protection Regulation has outlined the different roles and responsibilities expected of a data controller or a data processor.

You can be confident that you’ve accomplished everything that needs to be done on your part by making sure you adhere to the law.

Data Processing Obligations – Critical GDPR Articles

Processors have less independence over the data they process, but they do have legal responsibilities under the UK GDPR law and are subject to regulation by the authorities.

If you are a processor, you have some responsibilities and obligations, such as:

  1. Accountability obligations – You have to keep records and maintain and appoint a data protection officer to comply with certain GDPR accountability obligations.
  2. International transfers – The UK’s prohibition on transferring personal data to other people aligns with the EU’s prohibition on transferring personal data to other people. You have to ensure that any transfer outside the UK is approved by the controller and complies with the UK GDPR’s transfer provisions.
  3. Co-operation with supervisory authorities – You are obliged to help the authorities perform their duties by cooperating with them, such as the Information Commissioner’s Office (ICO).

Data Controllers need to make sure that they work with Data Processors who offer guarantees regarding their capability to process personal data and comply in line with the GDPR and protection of the rights of the data subject.

Who Does the UK GDPR Apply To?

UK GDPR applies to data processing carried out by organisations in the UK. It applies to organisations outside of the UK that offer goods or services to individuals in the UK.

Under GDPR, certain activities are not subject to data protection law, including processing for national security purposes, processing handled by individuals purely for personal/household activities and processing covered by the Law Enforcement Directive.

The Brexit transition period ended in December 2020. UK organisations that process personal data have to comply with:

  • The DPA (Data Protection Act) 2018.
  • UK GDPR (if they process only domestic personal data).

There are minimal differences between the UK GDPR and the EU equivalent. The EU’s structure has been lifted by the UK and put in place in the country’s law.


Your Business and Your Data Protection System

Who Oversees How Personal Data Is Processed Within an Organisation?

Processors have fewer obligations but must be careful to only process personal data according to the controller’s instructions.

Your Organisation Is Required to Designate a DPO

The Data Protection Officer, who the company may have designated, is responsible for overseeing how personal data is processed and to notify and advise employees who process personal data.

The DPO also communicates and cooperates with the Data Protection Authority (DPA).

There is a requirement for your company to appoint a DPO when:

  • You monitor individuals and process categories of data regularly.
  • Data processing is a core activity of the business.
  • The organisation processes data on a large scale.

The DPO may be a member of your organisation or may be contracted based on a service contract.

Want a 77% head start on ISO 27001 certification?

Are Employees Classed As Data Processors?

A data processor is a natural person, agency, public authority, or any other body that holds personal data on behalf of a controller.

Your staff is processing the data according to your instructions. Your team are not considered to be third parties in the legal sense, and therefore any processing they do is part of the action of a data controller.

If you use staff, you don’t have a direct contract of employment with, for example, agency staff who the agency pays. The agency acts as a data processor.

An Example and Tasks Of A Data Processor

The following list explains the typical tasks of a data processor:

  • IT processes and systems that enable the data controller to gather personal data would be designed, created, and implemented.
  • Use tools and techniques that can be used to collect personal data.
  • Security measures can be put in place to protect personal data.
  • Personal data gathered by the data controller can be stored.
  • Data is transferred from the data controller to another organisation – vice versa.

An Example of a Data Processor in the Workplace

Your marketing team collects personal data of potential and existing customers. When your organisation works with an email marketing company or agency that uses this data, the latter are processors.

Personal Data Processing, Record Keeping and Secure Processing Architecture

Article 5 of the GDPR principles clearly outlines what a data subject would expect when processing their personal data.

Personally identifiable data is any information that can be used to identify an individual. This includes names, addresses, phone numbers, credit card details and the like.

What identifies an individual could be as straightforward as a name or a number, or it could include other factors such as an internet protocol address or a cookie identifier.

If you can identify an individual directly from the information you are processing, that information may be personal data.

You need to think about whether the individual is still identifiable if you cannot directly identify them. All of the resources reasonably likely to be used to identify that individual should be considered, along with the information you are processing.

Accounting for a variety of factors, including content of the data, the purpose or purposes for that you are processing it, and the likely impact of that processing on the individual is what you need to consider when considering whether information “relates” to an individual.

Can Data Controllers Have Different Identifiable Information?

It’s possible that the same information is personally identifiable for one controller’s purposes but is not personally identifiable for the purposes of another controller.

Information that has been removed or replaced to conceal the data is still personal data for the purposes of UK GDPR.

Information that is truly anonymous is not covered by the UK’s General Data Protection Regulation.

Information that seems to relate to a specific individual is still personal data, as it relates to that individual, even if it is not accurate.

Maintain a Record of Activity

Making sure your business is GDPR compliant is crucial. An excellent way to start this is by undertaking an information audit and/or data-mapping exercise to ensure you know what personal data your organisation holds and where.

The company is subject to fines if they do not maintain records of processing activities or provide a complete index to authorities. This is according to Article 83.4.a of the GDPR regulation.

Want a 77% head start on ISO 27001 certification?

Data Processor FAQ

What Is The Difference A Between Data Controller And Data Processor?

There is a clear difference between a data controller and a data processor according to the GDPR framework. According to the regulation, not all organisations involved in processing personal data have an equal level of responsibility.

Data Controller Differences:

  • The individual information of your customers, site visitors, and other targets should be collected. You must have the legal authority to do that.
  • You can change or modify the data that you have.
  • How to use the data and what purpose it is used for.
  • Should the data be kept in-house, or should it be shared with third parties? You have to figure out who to share the information with.
  • When to dispose of the data and how long it should be kept.

Data Processor Differences:

  • Design, create and implement systems that will allow the data controller to gather personal data.
  • What strategies and tools do your organisation use for collecting personal data.
  • What security measures can be put in place to protect personal data.
  • What personal data is gathered by the data controller.
  • How you transfer data from the data controller to different organisations and vice versa.

What Must Be Included In A Contract Between a Processor And A Sub-Processor?

When a data controller instructs a data processor for personal data processing and employs another processor (sub-processor), a contract is needed as stated under Article 28.3 of the GDPR regulations. The contract lays out the parties' responsibilities and liabilities, making it essential.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.