A data processor is any person, authority, organisation or other body which processes data on behalf of a data controller.
A data processor has many obligations in ensuring that the personal data being processed is afforded the same protections as if it were being processed by the controller, therefore the controller is required to ensure:
- A contract is in place between the parties
- Data is processed only under written instruction from the controller
- Technical and organisational security is in place
- The processor does not sub contract to another processors unless they have written approval from the controller
Each of these requirements mean that a data processor relationship must entered into following due diligence and that this due diligence must be evidenced.
Examples of data processors:
- Your HR department processes personal data of candidates and employees. Some of these HR activities might be outsourced (e.g. payroll services). The company you outsource to then is a processor.
- Your marketing team processes personal data of potential and existing customers and employs an email marketing company, that uses the data provided by marketing for campaigns. This email marketing company is therefore a processor.