Every organisation that outsources data handling to a third party creates a controller-processor relationship governed by the GDPR. The regulation places direct obligations on processors, not just on the controllers who engage them. Since 2024, supervisory authorities have begun enforcing against processors independently, making it essential to understand the legal definition, the contractual framework, and the enforcement risks that apply.
Annual GDPR fines stabilised at approximately EUR 1.2 billion in both 2024 and 2025, according to the DLA Piper GDPR Fines Survey January 2026. A growing share of these penalties now targets processors directly. Understanding where the line falls between controller and processor is no longer an academic exercise; it determines who pays when something goes wrong.
What Is a Data Processor Under GDPR?
The GDPR assigns distinct roles to entities involved in personal data processing. The processor’s role is defined by a single criterion: it processes personal data on behalf of, and under the instructions of, a controller.
How Does Article 4(8) Define a Processor?
Article 4(8) defines a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” The critical phrase is “on behalf of.” A processor does not determine the purposes or essential means of processing. It executes instructions.
Common examples include cloud hosting providers storing customer databases, payroll service providers processing employee salary data, and email marketing platforms sending communications on a company’s behalf. In each case, the client organisation determines why the data is processed and what data is involved. The service provider determines how to carry out the task technically, but not the underlying purpose.
The EDPB’s Guidelines 07/2020 introduced a distinction between “essential means” and “non-essential means.” A processor may make decisions about non-essential means such as specific hardware, software, or security configurations. However, decisions about essential means, including the types of data collected, the duration of processing, the categories of data subjects, and the purposes of processing, remain with the controller.
What Is the Difference Between a Controller and a Processor?
The controller determines the “why” and “what” of processing. The processor determines the “how” within the boundaries set by the controller. This distinction has practical consequences for liability, obligations, and regulatory exposure.
A company that collects customer data through its website and decides to store it in a cloud service is the controller. The cloud provider is the processor. If the cloud provider decides independently to analyse that data for its own purposes, it becomes a controller for that additional processing, with all the obligations that status entails.
Joint controllership arises when two or more entities jointly determine purposes and means, governed by Article 26. The EDPB’s October 2024 Opinion on processors clarified that while processors can propose sub-processors, the controller retains ultimate responsibility for approving any sub-processor engagement. Controllers are not, however, required to systematically request copies of sub-processing contracts.
Obligations and Contractual Requirements
Processors carry direct statutory obligations under the GDPR. These obligations exist independently of any contract, though contracts are also mandatory.
What Must a Data Processing Agreement Include?
Article 28(3) requires a binding contract or other legal act between the controller and processor. This Data Processing Agreement (DPA) must specify the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights. For a detailed breakdown, see our Article 28 guide.
The DPA must also include specific mandatory clauses. The processor must process data only on documented instructions from the controller. It must ensure that personnel with access to personal data are bound by confidentiality obligations. It must implement appropriate technical and organisational security measures under Article 32.
Additional mandatory provisions cover sub-processor engagement (requiring prior specific or general written authorisation), assistance with data subject rights requests, support for the controller’s obligations regarding security, breach notification, DPIAs, and prior consultation. The processor must also delete or return all personal data at the end of the service, and make available all information necessary to demonstrate compliance with Article 28.
The absence of a written DPA is itself an infringement. Both the controller and the processor can be held liable for this failure, with fines up to EUR 10 million or 2% of worldwide annual turnover under Article 83(4).
Direct Liability of Processors
Article 82(2) makes processors directly liable for damage caused by processing if they acted outside or contrary to the controller’s lawful instructions, or if they failed to comply with obligations specifically directed at processors. Article 83 allows supervisory authorities to fine processors directly for violations.
A processor that fails to implement adequate security measures under Article 32 is directly liable for resulting breaches, regardless of the controller’s instructions. A processor that engages a sub-processor without the controller’s authorisation violates Article 28(2) and bears direct responsibility.
Processors must also maintain their own records of processing activities under Article 30(2), covering all categories of processing carried out on behalf of each controller. Failure to maintain these records is an independently sanctionable violation.
Enforcement and Common Mistakes
Enforcement against processors has accelerated since 2024, marking a shift from the early years of the GDPR when regulators focused almost exclusively on controllers.
Recent Fines Against Processors
In 2025, the UK Information Commissioner’s Office imposed a GBP 3.07 million fine (approximately EUR 3.49 million) on Advanced Computer Software Group, a processor providing IT services to NHS organisations. The ICO found that Advanced failed to implement multi-factor authentication, conducted inadequate vulnerability scanning, and maintained poor patch management. This was the ICO’s first penalty specifically imposed on a data processor under the UK GDPR, signalling that regulators are prepared to pursue processors independently.
The Polish supervisory authority imposed a EUR 132,000 fine on a financial institution in 2025 for, among other violations, improper DPO positioning that affected processor oversight. Several other DPAs have issued warnings and reprimands to processors for failing to maintain Article 30(2) records or for processing data beyond the scope of the controller’s documented instructions.
Common Processor Compliance Failures
Common compliance failures among processors include operating without a written DPA, engaging sub-processors without authorisation, retaining personal data after the service relationship ends, and failing to notify the controller of data breaches without undue delay as required by Article 33(2). Each of these failures carries independent sanctions.
Organisations acting as processors should conduct a gap assessment against Article 28’s requirements, ensure DPAs are in place with every controller client, appoint or designate a DPO where required, and use compliance platforms such as Legiscope to maintain audit-ready documentation of processing activities.
Legal disclaimer: This article provides general information about data processor obligations under the GDPR. It does not constitute legal advice. Organisations should consult qualified legal counsel for compliance guidance specific to their circumstances.
Conclusion
A data processor under the GDPR is any entity that processes personal data on behalf of a controller. The role carries direct legal obligations including mandatory DPAs, security measures, record-keeping, and breach notification duties. With the ICO’s 2025 fine against Advanced marking the first processor-specific penalty in the UK, and supervisory authorities across the EEA increasing scrutiny of processor compliance, organisations in the processor role must treat their Article 28 obligations as enforcement priorities rather than administrative formalities.
Last reviewed: March 2026
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
