Examples
Worked examples
- Is an instance
A university engages a SaaS survey platform to host participant responses; the vendor signs a Data Processing Agreement under Article 28 specifying the documented instructions and security measures.
- Is an instance
A transcription service handling audio recordings of qualitative interviews on behalf of the research team acts as a processor and is bound by Article 28 obligations.
Counter-examples
Looks similar, but isn't
- Not an instance
A consultancy that reuses controller-provided data for its own marketing purposes acts as a controller for that secondary purpose, not as a processor.
- Not an instance
A peer reviewer acting in their independent academic capacity is not a processor of the journal's editorial data.
Editorial commentary
Processors carry GDPR obligations of their own under Article 28, including ensuring confidentiality of personnel, implementing appropriate security measures, engaging sub-processors only with the controller's authorisation, assisting the controller with data-subject requests and DPIAs, deleting or returning data at the end of the engagement, and making available the information necessary to demonstrate compliance. Acting outside the controller's documented instructions can re-cast the processor as a controller for that processing, with full controller liability. Article 28 contracts must specify subject-matter and duration, nature and purpose, type of personal data, categories of data subjects, and the controller's obligations and rights.
References
- GDPR Regulation (EU) 2016/679 Article 4(8) and Article 28 processor
- European Data Protection Board Guidelines 07/2020 on the concepts of controller and processor
- European Commission Standard Contractual Clauses between controllers and processors (Implementing Decision (EU) 2021/915)
Also known as
processor · GDPR processor · data-processing supplier
Machine-readable encodings
Use in your systems
<role vocab="credit"
vocab-identifier="https://casrai.org/dictionary/"
vocab-term="Data processor"
vocab-term-identifier="https://casrai.org/dictionary/term/data-processor" />{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "Data processor",
"identifier": "https://casrai.org/dictionary/term/data-processor",
"description": "A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, as defined in Article 4(8) of the GDPR, only on documented instructions from the controller and bound by a written contract meeting Article 28 requirements.",
"inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
"url": "https://casrai.org/dictionary/term/data-processor",
"sameAs": [
"processor",
"GDPR processor",
"data-processing supplier"
],
"license": "https://creativecommons.org/licenses/by/4.0/"
}
