Every organisation that outsources data handling to a third party creates a controller-processor relationship governed by the GDPR. The regulation places direct obligations on data processors, not just on the controllers who engage them. Since 2024, supervisory authorities have begun enforcing against processors independently — making it essential to understand the data processor GDPR definition, the contractual framework under Art. 28, and the enforcement risks that apply.
Key Takeaways
- A data processor under GDPR is any entity that processes personal data on behalf of a controller, as defined in Art. 4(8).
- Controllers determine the “why” and “what” of processing; processors determine the “how” within the controller’s instructions.
- Art. 28(3) GDPR requires a written Data Processing Agreement (DPA) covering subject matter, duration, nature, purpose, data types, and data subject categories.
- Processors carry direct liability under Art. 82(2) and can be fined independently under Art. 83 — the ICO’s 2025 fine against Advanced Computer Software Group was the first UK processor-specific penalty.
- Missing or deficient DPAs are themselves an infringement, with fines up to EUR 10 million or 2% of worldwide turnover.
Art. 4(8) GDPR: The Data Processor Definition
The GDPR assigns distinct roles to entities involved in personal data processing. Article 4(8) defines a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
The critical phrase is “on behalf of.” A data processor GDPR does not determine the purposes or essential means of processing. It executes instructions.
The EDPB’s Guidelines 07/2020 introduced a distinction between “essential means” and “non-essential means.” A processor may make decisions about non-essential means — specific hardware, software, or security configurations. However, decisions about essential means remain with the controller: the types of data collected, the duration of processing, the categories of data subjects, and the purposes of processing.
Common Examples of Data Processors
| Processor Type | What They Do | Why They Are Processors |
|---|---|---|
| Cloud hosting provider (AWS, Azure, GCP) | Stores customer databases on behalf of clients | Does not determine processing purposes; acts on controller instructions |
| Payroll service provider (ADP, Sage) | Processes employee salary data for the client | Processes data strictly for the employer’s defined purpose |
| Email marketing platform (Mailchimp, Brevo) | Sends communications on the company’s behalf | Follows the controller’s mailing lists, content, and schedules |
| CRM vendor (Salesforce, HubSpot) | Stores and organises customer relationship data | Provides the tool; the controller decides which data enters it |
| IT support / managed services | Accesses systems for maintenance, with data exposure | Processes data incidentally, under the controller’s authority |
In each case, the client organisation determines why the data is processed and what data is involved. The service provider determines how to carry out the task technically, but not the underlying purpose.
Controller vs Processor: The Practical Distinction
The controller determines the “why” and “what” of processing. The processor determines the “how” within the boundaries set by the controller. This distinction has direct consequences for liability, obligations, and regulatory exposure.
| Controller | Processor | |
|---|---|---|
| Determines purpose | Yes | No |
| Determines essential means | Yes | No |
| Needs a legal basis (Art. 6) | Yes | No (relies on controller’s basis) |
| Must conduct DPIAs | Yes | Assists only |
| Maintains Art. 30 records | Art. 30(1) — full records | Art. 30(2) — processor-specific records |
| Direct liability for breaches | Art. 82(1) | Art. 82(2) — if acted outside instructions |
| Can be fined by DPAs | Yes | Yes (Art. 83) |
A company that collects customer data through its website and stores it in a cloud service is the controller. The cloud provider is the processor. If the cloud provider independently analyses that data for its own purposes, it becomes a controller for that additional processing — with all the obligations that status entails.
Joint controllership arises when two or more entities jointly determine purposes and means, governed by Art. 26. The EDPB’s October 2024 Opinion on processors clarified that while processors can propose sub-processors, the controller retains ultimate responsibility for approving any sub-processor engagement.
Art. 28 Data Processing Agreement Requirements
Processors carry direct statutory obligations under the GDPR. These obligations exist independently of any contract, though contracts are also mandatory.
Art. 28(3) requires a binding contract or other legal act between the controller and processor. This Data Processing Agreement (DPA) must specify:
- The subject matter and duration of processing
- The nature and purpose of processing
- The type of personal data and categories of data subjects
- The controller’s obligations and rights
For a detailed breakdown, see our Art. 28 GDPR guide.
Mandatory DPA Clauses Under Art. 28(3)
The DPA must include these specific provisions:
- Documented instructions — the processor must process data only on documented instructions from the controller.
- Confidentiality — personnel with access to personal data must be bound by confidentiality obligations.
- Security measures — appropriate technical and organisational measures under Art. 32.
- Sub-processor management — prior specific or general written authorisation required before engaging sub-processors.
- Data subject rights assistance — the processor must assist the controller in responding to data subject requests.
- Breach notification support — assistance with security, breach notification (Art. 33-34), DPIAs, and prior consultation.
- Data deletion/return — all personal data must be deleted or returned at end of service.
- Audit rights — the processor must make available all information necessary to demonstrate Art. 28 compliance.
The absence of a written DPA is itself an infringement. Both the controller and the processor can be held liable, with fines up to EUR 10 million or 2% of worldwide annual turnover under Art. 83(4).
Direct Liability and Enforcement Against Processors
Art. 82(2) makes processors directly liable for damage caused by processing if they acted outside or contrary to the controller’s lawful instructions, or if they failed to comply with obligations specifically directed at processors. Art. 83 allows supervisory authorities to fine processors directly.
A processor that fails to implement adequate security measures under Art. 32 is directly liable for resulting breaches, regardless of the controller’s instructions. A processor that engages a sub-processor without the controller’s authorisation violates Art. 28(2) and bears direct responsibility.
Processors must also maintain their own records of processing activities under Art. 30(2), covering all categories of processing carried out on behalf of each controller.
Recent Fines Against Data Processors
Enforcement against processors has accelerated since 2024. Key cases include:
ICO v Advanced Computer Software Group (2025) — The UK Information Commissioner’s Office imposed a GBP 3.07 million fine (approximately EUR 3.49 million) on Advanced, a processor providing IT services to NHS organisations. The ICO found that Advanced failed to implement multi-factor authentication, conducted inadequate vulnerability scanning, and maintained poor patch management. This was the first penalty specifically imposed on a data processor under the UK GDPR.
Polish DPA processor fine (2025) — The Polish supervisory authority imposed a EUR 132,000 fine on a financial institution for, among other violations, improper DPO positioning that affected processor oversight.
According to the GDPR Enforcement Tracker, regulators are increasingly applying the upper range of Art. 83 powers against processors. Annual GDPR fines stabilised at approximately EUR 1.2 billion in both 2024 and 2025, with a growing share targeting processors directly.
Common Processor Compliance Failures
The most frequent compliance gaps among processors:
- Operating without a written DPA
- Engaging sub-processors without authorisation
- Retaining personal data after the service relationship ends
- Failing to notify the controller of data breaches without undue delay (Art. 33(2))
- Missing Art. 30(2) records of processing activities
Each of these failures carries independent sanctions.
How to Ensure Processor Compliance
Organisations acting as data processors should:
- Audit Art. 28 compliance — conduct a gap assessment against every requirement in Art. 28(3).
- Ensure DPAs are in place with every controller client, covering all mandatory clauses.
- Designate a DPO where required under Art. 37.
- Maintain Art. 30(2) records — document every processing activity performed on behalf of each controller.
- Implement Art. 32 security measures — encryption, access controls, vulnerability management, and incident response.
Compliance platforms such as Legiscope help processors maintain audit-ready documentation of processing activities and track DPA obligations across multiple controller relationships.
FAQ
What is a data processor under GDPR?
Art. 4(8) GDPR defines a data processor as any natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller. The processor acts on the controller’s instructions and does not determine the purposes of processing. Common examples include cloud hosting providers, payroll services, and email marketing platforms.
How do you determine if a vendor is a processor or a controller?
Apply the EDPB’s “essential means” test. If the vendor follows your instructions and has no independent decision-making power over why personal data is processed, it is a processor. If the vendor determines its own purposes for using the data, it is a controller (or joint controller under Art. 26) — and a DPA alone is insufficient.
Can a data processor be fined under GDPR?
Yes. Art. 83 applies to both controllers and processors. Processors can be fined for violations of their specific obligations — Art. 28 contract requirements, Art. 32 security measures, Art. 30(2) record-keeping, and data transfer rules — regardless of the controller’s instructions. The ICO’s 2025 fine against Advanced Computer Software Group confirmed this enforcement power in practice.
What must a Data Processing Agreement contain?
Art. 28(3) mandates that a DPA include: documented instructions from the controller, confidentiality obligations, security measures, sub-processor authorisation requirements, data subject rights assistance, breach notification support, data deletion or return at end of service, and audit rights. Missing any of these clauses creates an infringement risk for both parties.
Conclusion
A data processor under the GDPR is any entity that processes personal data on behalf of a controller. The role carries direct legal obligations including mandatory DPAs under Art. 28, security measures under Art. 32, record-keeping under Art. 30(2), and breach notification duties under Art. 33(2). With the ICO’s 2025 fine against Advanced marking the first processor-specific penalty in the UK, and supervisory authorities across the EEA increasing scrutiny of processor compliance, organisations in the processor role must treat their Art. 28 obligations as enforcement priorities rather than administrative formalities.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope