A data processor is a person, company, or other body that processes personal data on behalf of a data controller. The data processor is usually a third party external to the company, but in some cases, an undertaking may act as a processor for another undertaking. The data processor processes personal data only on behalf of the controller and is bound by the instructions given by the data controller. The duties of the processor towards the controller must be specified in a contract or another legal act. Data processors include machines that perform operations on data, such as calculators or computers, and now cloud service providers can be labeled as data processors.

The data controller determines the purposes for which and the means by which personal data is processed. If a company/organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. The data controller can process collected data using its own processes, but in some instances, it needs to work with a third-party or an external service to work with the data that has been gathered. Even in this situation, the data controller will not relinquish control of the data to the third-party service. The data controller will remain in control by specifying how the data is going to be used and processed by that external service.

The data processor is responsible for carrying out the actual processing of the data under the specific instructions of the data controller, which may include designing, creating, and implementing IT processes and systems that would enable the data controller to gather personal data, using tools and software to process the data, and ensuring the security of the data.