Typically, a third party to an organization, the data processor analyzes, stores, transforms or performs some form of processing of personal data for the data controller. The data controller (the organization who owns and controls the data) may also perform data processor functions in the execution of normal business processes. Data processors do not own the data and their activities are controlled and directed by the data controller. However, the processor is bound by the rules and obligations applicable to the controller.
GDPR provides specific definitions and responsibilities for data processors as well as data controllers. Data processors are bound by GDPR requirements regardless of their location so long as their service includes the processing of EU citizen data for the data controller.
Article 28 of the GDPR defines the processor and responsibilities. From Article 28, the following provides context to the definition and role of processors: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”