What is a Data Processor?
A data processor is an individual or organization that processes information on behalf of a data controller.
Under the GDPR, “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Article 4, Section 8.
Data controllers are also data processors because they process data, such as by transferring it to another processor.
Third-party outsourcers or vendors hired by data controllers to process data are data processors. Data processors are obligated to process data according to the instructions and limitations of the data controller. They are not authorized to do additional data processing outside of the scope of the authority given by the data controller.
Under the medical privacy rule of Health Insurance Portability and Accountability Act (HIPAA), data processors are called “business associates”. Under the Gramm-Leach Bliley Act (GLBA), data processors are called “service providers”.
A data controller might hire data processor who in turn hires another data processor to do additional work. For example, a hospital might hire a billing agency who then hires a data media destruction company. Each data processor down the line is expected to act in a trusted manner, consistent with the instructions of the data controller.