A Data Processor is an entity that processes personal data on behalf of a Data Controller.
This processing involves any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
For instance, if you own an online store, you might use a third-party payment processing service to handle transactions. In this scenario, the payment service acts as the data processor, managing your customers’ financial data under your instructions.
The relationship between you (the Data Controller) and the Data Processor must be regulated by a contract or other legal act under EU law or the law of Member States, stipulating the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller.
This is to ensure that the processing is conducted in accordance with the applicable data protection laws, such as the General Data Protection Regulation (GDPR) if you operate within or cater to individuals in the European Union.
The Data Processor has specific legal obligations, including ensuring the security of the data they process, keeping records of processing activities, and notifying the Data Controller of any data breaches without undue delay.
For example, suppose the third-party payment processor experiences a data breach.
In that case, they are required to inform you immediately so that you can take appropriate measures, including notifying affected individuals and the relevant regulatory authorities if necessary.
Data Processors cannot engage another processor (sub-processor) without prior specific or general written authorization of the Data Controller.
If general authorization is given, the Processor must inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.