← Glossary·Privacy

Data Processor

GDPR

An entity processing personal data on behalf of a controller, governed by a written DPA (GDPR Art. 28).

A data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller, under documented instructions and a contract meeting GDPR Art. 28 requirements.

Why it matters
Processors have direct GDPR obligations (security, sub-processor flow-down, breach notice to controller, records of processing). Procurement increasingly requires processors to evidence those controls before signing.

Related terms

Data Controller
The entity that determines the purposes and means of personal data processing (GDPR Art. 4(7)).
Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.
Sub-Processor
A third party engaged by a processor to carry out specific processing activities on behalf of a controller.

Does your program actually cover Data Processor?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary