What category does Data Processor belong to?

Data Processor belongs to the "Concepts" category in personal knowledge management and productivity.

What are the key topics related to Data Processor?

Key topics related to Data Processor include: privacy, data-protection, compliance, outsourcing, regulations.

Data Processor

Q: What are alternative names for Data Processor?

Data Processor is also known as: Processor, Data Processing Entity, Third-Party Processor.

An entity that processes personal data on behalf of and under the instructions of a data controller.

Also known as: Processor, Data Processing Entity, Third-Party Processor

Category: Concepts

Tags: privacy, data-protection, compliance, outsourcing, regulations

Explanation

A data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Unlike controllers who decide why and how data is processed, processors act under the controller's instructions.

Key characteristics of a data processor:

1) Acts under authority - processes data only as instructed by the controller
2) No independent decision-making - doesn't determine purposes of processing
3) Contractual relationship - must have a data processing agreement with controller
4) Direct obligations - GDPR imposes specific duties directly on processors

Processor obligations include:
- Process data only on documented controller instructions
- Ensure personnel are bound by confidentiality
- Implement appropriate security measures
- Engage sub-processors only with controller authorization
- Assist controller with data subject rights and compliance obligations
- Delete or return data after services end
- Make available information demonstrating compliance
- Notify controller of data breaches without undue delay

Common examples of data processors:
- Cloud service providers (AWS, Azure, Google Cloud)
- Payroll processing companies
- Email marketing platforms
- Customer support outsourcing firms
- Data analytics providers
- Backup and disaster recovery services

Processor vs. Controller determination:
If an entity starts making its own decisions about purposes or essential means of processing, it may become a controller (or joint controller) with associated responsibilities.

Data Processing Agreements (DPAs) must include: subject matter and duration, nature and purpose, data types, data subject categories, controller obligations and rights, and requirements for sub-processing.

Liability: Processors can be directly fined for their own violations and may be liable for damages if they acted outside controller instructions or failed to meet processor-specific obligations.

Related Concepts

← Back to all concepts