Data processor

Data Processor in Europe

The data processor is the statutory counterpart of the data controller. According to Article 2 lit. e) EU Data Protection Directive 95/46/EC, the processor is “a natural or legal person, public authority, agency or any other body which processes data on behalf of the controller”.

From this definition two main provisions for a data processor can be derived:

  • The entity is organisationally and legally separate from the data controller (it needs to be at least a legally independent branch of a corporation)
  • The entity is processing personal data on behalf of the controller

The data processor undertakes data processing tasks that were delegated by the data controller. The crucial factor is the data controller’s remaining authority over the purpose and means of the processing. The data processor is bound by the instructions of the data controller. The Article 29 Data Protection Working Party listed additional criteria that can support the identification of an actor as data processor. (Article 29 Working Party, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010, p. 10 ff)

These additional criteria are:

  • Level of prior (contractual) instruction
  • Monitoring through the controller entity
  • The visibility or outward appearance of the data controller towards the data subject
  • Professional expertise as service taking precedence over the data processing
  • Level of knowledge and decision power on controller side

A subcontractor acting on behalf of the processer is called subprocessor hereinafter.

Data processor and the Public Sector Information

The processor shall mean “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the (data) controller” (Article 2, e) of Directive 95/46/EC). Source: Dir_1995_46_EN.pdf


See Also

  • Directive on the re-use of Public Sector Information (PSI Directive)
  • Leave a Comment