Data Processor
Definition under Article 4(8) GDPR — service provider processing on behalf of the controller
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A data processor under Article 4(8) GDPR is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. The relationship is governed by a DPA under Article 28.
What is a Data Processor?
Typical data processors:
- IT hosting providers (AWS, Azure, GCP, Hetzner)
- Cloud software (Microsoft 365, Salesforce, HubSpot)
- Newsletter tools (Mailchimp, Brevo, CleverReach)
- Payroll service providers
- IT maintenance with data access
NOT data processors:
- Tax advisors (BayLDA 2024 — independent controllers)
- Banks (own statutory obligations)
- Postal services (technical delivery)
Practical example
Practical example — a 30-employee mechanical engineering firm has the following processors: - Microsoft (M365 hosting) — DPA in place - Mailchimp (newsletter) — DPA + DPF guarantee - HubSpot (CRM) — DPA in place - External payroll accountant — DPA (where qualified as a processor) - IT service provider (maintenance) — DPA in place
Frequently asked questions
What must a DPA contain?
8 mandatory contents (Article 28(3)): subject matter, duration, nature and purpose, data categories, obligations, confidentiality, sub-processing, assistance with data subject rights, and TOMs.
Who controls the processors?
The controller bears the duty of selection and control. In practice: annual processor list review plus risk-based TOM audit.
Who is liable for a processor breach?
Primarily the controller (externally). The processor is additionally liable for its own breaches of duty — internal recourse via the DPA.