Sticky Banner Visual Mobile 3

Spring deal: Get a free upgrade for 3 months on annual offers.

Spring deal: Free upgrade on annual offers. Claim now!

Claim Now!
  • Glossary
  • What is a data processor? | ExpressVPN Glossary

Expressvpn Glossary

Data processor

Data processor

What is a data processor?

A data processor is a person or organization that processes personal data on behalf of a data controller. They carry out the work under the data controller’s documented instructions, but may decide on how to do it technically (e.g., choosing servers).

What does a data processor do?

A data processor handles the operational side of personal data management and processing.

Common processor duties include:

  • Hosting and storage: Running servers or cloud services where personal data is stored.
  • Data handling: Collecting, organizing, converting, or structuring data for the controller’s workflows.
  • Security controls: Using technical and organizational measures that match the risk (e.g., encryption, access controls, backups, and security testing).
  • Breach escalation: Notifying the controller without undue delay after becoming aware of a personal data breach.
  • Recordkeeping: Keeping records of the processing activities carried out for each controller.
  • Sub-processor management: Bringing in sub-processors only with the controller’s authorization, with the same data protection duties flowed down by contract.
  • End-of-service handling: Returning or deleting personal data at the end of the engagement, subject to legal retention duties that may apply.

Examples of data processors

The most common service providers that often act as data processors include:

  • Cloud storage and hosting providers (e.g., Google Cloud, Amazon Web Services) that host files, databases, and backups for other companies.
  • Email marketing platforms that send newsletters to a list of email addresses.
  • Payment processors that handle credit card transactions for merchants.
  • Customer support platforms that manage help desk tickets and user queries.
  • Website analytics service providers that track, manage, and analyze website visitor data (e.g., clicks, page views) to provide reports and insights.

Data controller vs. data processor

Understanding the difference between a data processor and a data controller is necessary for compliance.The relationship between the data subject, the data controller who decides the purpose, and the data processor who executes the tasks.

Data processor

  • Acts only on written instructions from the controller.
  • Relies on the controller’s purpose or legal basis for processing.
  • Implements technical and security measures to protect the data.

Data controller

  • Determines why and how personal data is processed.
  • Chooses the data processor and sets the requirements for handling data.
  • Responsible for overall compliance obligations and answering to regulators.

Further reading

FAQ

Is a company always a data processor?

No. A company can be a data controller for its own employee data but a data processor for its clients' data. The role depends on who determines the purpose of the data processing.

Can an organization be both a data controller and a data processor?

Yes. An organization often acts as a data controller for data it collects directly (such as human resources records) and as a data processor for data it handles on behalf of customers.

Does GDPR require contracts with data processors?

Yes. The General Data Protection Regulation (GDPR) mandates a written contract (a data processing agreement) setting out details, such as the subject matter, duration, nature, and purpose of the processing.

What security measures must a data processor implement?

Data processors must implement technical and organizational measures such as encryption, pseudonymization, and regular security testing to guarantee a level of security appropriate to the risk.
Get Started