What is a processor?

Key points:

(1) A processor is an individual or entity that process personal data on behalf of the controller

(2) Who is the controller in any given situation regarding any given data set is a factual determination

(3) A controller must, at the minimum, provide instructions with regard to the purpose of the processing and the essential elements of the means but the processor may be allowed to choose the most suitable technical and organizational means.

A controller can decide to delegate all or part of the processing activities to an external organization. A processor under GDPR is an individual or entity that processes personal data on behalf of the controller.

Therefore, the two basic conditions for qualifying as a processor are on the one hand being a separate legal entity or person with respect to the controller and on the other hand processing personal data on his behalf.

“Individuals or entities”: Just as with the definition of controller, a broad series of persons can play the role of processor, ranging from natural to legal persons and including any other entity or individual. Logically, the processor must…