Data Processor
Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.
A data processor handles personal data on behalf of and under the instructions of a data controller. In the SaaS world, most B2B software companies act as data processors — they process their customers' data according to the service agreement, not for their own independent purposes.
Processors have specific obligations under GDPR. They must only process data according to the controller's documented instructions, implement appropriate technical and organizational security measures, assist the controller in responding to data subject requests, notify the controller of data breaches without undue delay, and maintain records of processing activities. Processors must also obtain the controller's authorization before engaging sub-processors.
The relationship between controller and processor must be governed by a Data Processing Agreement (DPA) that sets out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. For SaaS companies, having a well-drafted DPA ready to share with customers is a practical necessity for enterprise sales.
Related frameworks
Related terms
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Protection Impact Assessment
A structured process required by GDPR for assessing the potential impact of a data processing activity on individuals' privacy. DPIAs are mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Officer
A designated role within an organization responsible for overseeing data protection strategy and compliance with GDPR. Appointment of a DPO is mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special category data at scale.
Encryption
The process of converting data into an encoded format that can only be read by authorized parties who possess the correct decryption key. Encryption protects data confidentiality both at rest (stored data) and in transit (data being transmitted over networks).
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment