Adopted - version for public consultation 24
4 DEFINITION OF PROCESSOR
71. A processor is defined in Article 4 (8) as a natural or legal person, public authority, agency or another
body, which processes personal data on behalf of the controller. Similar to the definition of controller,
the definition of processor envisages a broad range of actors - it can be “a natural or legal person,
public authority, agency or other body”. This means that there is in principle no limitation as to which
type of actor might assume the role of a processor. It might be an organisation, but it might also be an
individual.
72. The GDPR lays down obligations directly applicable specifically to processors as further specified in
Part II section 1 of these guidelines. A processor can be held liable or fined in case of failure to comply
with such obligations or in case it acts outside or contrary to the lawful instructions of the controller.
73. Processing of personal data can involve multiple processors. For example, a controller may itself
choose to directly engage multiple processors, by involving different processors at separate stages of
the processing (multiple processors). A controller might also decide to engage one processor, who in
turn - with the authorisation of the controller - engages one or more other processors (“sub
processor(s)”). The processing activity entrusted to the processor may be limited to a very specific task
or context or may be more general and extended.
74. Two basic conditions for qualifying as processor are:
a) being a separate entity in relation to the controller and
b) processing personal data on the controller’s behalf.
75. A separate entity means that the controller decides to delegate all or part of the processing activities
to an external organisation. Within a group of companies, one company can be a processor to another
company acting as controller, as both companies are separate entities. On the other hand, a
department within a company cannot generally be a processor to another department within the same
entity.
76. If the controller decides to process data itself, using its own resources within its organisation, for
example through its own staff, this is not a processor situation. Employees and other persons that are
acting under the direct authority of the controller, such as temporarily employed staff, are not to be
seen as processors since they will process personal data as a part of the controller’s entity. In
accordance with Article 29, they are also bound by the controller’s instructions.
77. Processing personal data on the controller’s behalf firstly requires that the separate entity processes
personal data for the benefit of the controller. In Article 4(2), processing is defined as a concept
including a wide array of operations ranging from collection, storage and consultation to use,
dissemination or otherwise making available and destruction. In practice, this means that all
imaginable handling of personal data constitutes processing.
78. Secondly, the processing must be done on behalf of a controller but otherwise than under its direct
authority or control. Acting “on behalf of” means serving someone else’s interest and recalls the legal
concept of “delegation”. In the case of data protection law, a processor is called to implement the
instructions given by the controller at least with regard to the purpose of the processing and the
essential elements of the means. The lawfulness of the processing according to Article 6, and if relevant
Article 9, of the Regulation will be derived from the controller’s activity and the processor must not
process the data otherwise than according to the controller’s instructions. Even so, as described above,
the controller’s instructions may still leave a certain degree of discretion about how to best serve the