Data Processor

From Open Risk Manual

Definition

According to Article 3 (12) of Regulation (EU) 2018/1725, a Data Processor shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

The essential element is therefore that the processor only acts "on behalf of the controller" and thus only subject to his instructions.

Example

For example, a security company monitoring the entries into an institution's building is not processing personal data of the persons entering a building for its own purpose, but on behalf of the institution concerned.

In some cases, the processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf. In practice, this will depend upon the processor agreement entered into with the controller.

See Also

References