Data Processor

From Open Risk Manual


According to Article 3 (12) of Regulation (EU) 2018/1725, a Data Processor shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

The essential element is therefore that the processor only acts "on behalf of the controller" and thus only subject to his instructions.


For example, a security company monitoring the entries into an institution's building is not processing personal data of the persons entering a building for its own purpose, but on behalf of the institution concerned.

In some cases, the processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf. In practice, this will depend upon the processor agreement entered into with the controller.

See Also