what is a data processor responsible for in the context of gdpr

A data processor under GDPR is responsible for processing personal data only on documented instructions from the data controller, and must implement strong technical and organisational measures to protect that data. They have their own direct legal duties under GDPR and can be fined independently if they fail to meet them.

What “data processor” means in GDPR

A data processor is any organisation or person (other than an employee of the controller) that processes personal data on behalf of a data controller. Examples include cloud hosting providers, payroll companies, marketing platforms, and outsourced IT support.

Simple view: the controller decides the “why” and “what”, the processor carries out the “how” within the controller’s instructions.

Core responsibilities of a data processor

Key responsibilities in the context of GDPR include:

• Process personal data only on the controller’s documented instructions, including for international transfers.
• Implement appropriate technical and organisational security measures (e.g. access controls, encryption, staff training, logging, backup).

• Ensure staff who process data are bound by confidentiality obligations.

• Keep records of processing activities where required and support GDPR accountability requirements.

• Engage sub‑processors only with the controller’s prior authorisation and under a written contract with equivalent protections.

• Assist the controller in responding to data subject rights requests (access, rectification, erasure, objection, portability, etc.).

• Assist the controller with security, data protection impact assessments (DPIAs), and consultations with supervisory authorities.

• Notify the controller without undue delay after becoming aware of a personal data breach.

• At the end of the contract, delete or return personal data to the controller and delete remaining copies unless law requires retention.

• Make information available to the controller to demonstrate compliance and allow for or contribute to audits and inspections.

The processor–controller contract (Article 28)

GDPR requires a specific written contract (data processing agreement, DPA) between controller and processor. That contract must:

• Set out the subject matter, duration, nature, and purpose of processing.
• Describe the types of personal data and categories of data subjects.
• Define the controller’s rights and obligations and the processor’s duties.
• Include clauses on security measures, sub‑processors, international transfers, breach notification, assistance with rights and DPIAs, and data return/deletion at end of services.

This contract is what legally limits the processor’s role and proves compliance if regulators investigate.

Practical example (to make it concrete)

Imagine an HR software company that hosts employee data for many client firms:

1. The client (employer) is the controller; it decides why and which employee data is processed.
2. The HR software provider is the processor; it stores, displays, and analyses the data under the client’s instructions.
3. The processor must secure the data, keep staff bound to confidentiality, notify the client if there’s a breach, and help respond when an employee asks for access or deletion of their data.

Quick recap in one line

A GDPR data processor must follow the controller’s documented instructions, protect personal data with appropriate measures, assist the controller with GDPR duties (rights, DPIAs, breaches), manage sub‑processors correctly, and return/delete data at the end of the relationship, all under a detailed Article 28 contract.

Information gathered from public forums or data available on the internet and portrayed here.