Data Processor

A data processor is any organization or person that processes personal data on behalf of a data controller. The processor acts under the controller's instructions and does not determine the purposes or means of processing. This distinction, established primarily by the GDPR, defines different compliance obligations for each role.

Processor vs. Controller

The key difference is decision-making authority:

• A data controller decides why and how personal data is processed (the purposes and means)
• A data processor carries out the processing according to the controller's instructions

For example, a SaaS company that provides email marketing services processes customer email lists on behalf of its clients. The SaaS company is the processor; its clients are the controllers.

Processor Obligations Under GDPR

GDPR Article 28 imposes specific requirements on data processors:

• Process only on documented instructions from the controller
• Ensure confidentiality — personnel processing data must be bound by confidentiality obligations
• Implement appropriate security measures in accordance with Article 32
• Engage sub-processors only with the controller's prior written authorization
• Assist the controller with data subject requests, breach notifications, and impact assessments
• Delete or return data at the end of the service relationship
• Submit to audits and inspections by the controller or its designated auditor

Why It Matters

Many SaaS companies function as data processors. If your product handles customer data, you likely have processor obligations under GDPR. Understanding your role is essential for:

• Drafting appropriate data processing agreements (DPAs)
• Implementing the right level of security controls
• Responding correctly to data subject access requests
• Meeting breach notification obligations (processors must notify controllers without undue delay)

SOC 2 reports and ISO 27001 certifications are commonly used by processors to demonstrate their security posture to controllers, reducing the need for individual customer audits.

HIPAA uses similar concepts with "covered entities" (analogous to controllers) and "business associates" (analogous to processors), each with defined obligations under a Business Associate Agreement.