Data Processor

An entity that processes personal data on behalf of a data controller and under the controller's instructions. Processors don't determine why or how personal data is processed—they act as service providers carrying out the controller's directions. Common examples include cloud hosting providers, payroll services, email marketing platforms, customer support tools, and analytics providers. Being a processor doesn't mean you're free from obligations—processors must implement appropriate security measures, maintain processing records, assist controllers with data subject requests and compliance, notify controllers of data breaches, engage sub-processors only with authorization, and not process data except per controller instructions. The controller-processor distinction matters because it determines obligations and liability. Processors can become controllers if they exceed instructions and begin determining processing purposes. Misclassifying processors as controllers (or vice versa) creates compliance gaps.