Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

Data processor

A data processor is the entity that processes personal data on behalf of a data controller, acting on the controller’s documented instructions.

CASRAI research-methods explainer — Data processor

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

Acting on instructions

The defining feature of a processor is that it does not decide why personal data is processed. It acts on behalf of, and on the documented instructions of, the controller. Typical processors include cloud-storage providers, survey platforms, transcription services and analytics vendors engaged by a research team. If a supplier begins to determine its own purposes for the data — using it for its own ends — it can become a controller for that activity, with the heavier accountability that brings.

Processor obligations

GDPR gives processors direct obligations, not just contractual ones. They must implement appropriate security, keep records of processing, support the controller in meeting data subject rights and breach duties, and only engage sub-processors under defined conditions. These duties exist alongside the data processing agreement that GDPR requires between controller and processor. The arrangement is designed so accountability follows the data even when handling is outsourced.

Processors in research workflows

Modern research relies heavily on processors — managed databases, electronic data-capture tools and specialist analysis services. Identifying which suppliers are processors clarifies who must sign a data processing agreement and what security expectations apply. Treating these relationships explicitly helps protect participants and supports trustworthy, FAIR-aligned data management, because the chain of responsibility for personal data stays clear from collection through to sharing.

Key facts

At a glance

  • Definition: entity processing personal data on a controller’s behalf
  • Source: GDPR Article 4(8)
  • Test: acts on the controller’s documented instructions
  • Examples: cloud hosts, survey tools, analytics vendors
  • Direct duties: security, records, breach support, sub-processor control
  • Contract: must operate under a data processing agreement

Common misconceptions

What people often get wrong

Often heard: Processors have no direct legal obligations, only the controller does.

Actually: GDPR gives processors their own direct duties — security, records of processing, breach support and controlled use of sub-processors — in addition to their contractual obligations to the controller.

Often heard: A supplier is always a processor once it touches personal data.

Actually: A supplier is a processor only while acting on the controller’s instructions. If it starts determining its own purposes for the data, it becomes a controller for that activity.

Often heard: A processor can freely bring in sub-processors of its choosing.

Actually: Processors may engage sub-processors only under defined conditions, typically with the controller’s authorisation and equivalent obligations passed down the chain.

Going deeper

Related CASRAI guidance

Data controllerData processing agreementData breachData anonymisationStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →