Author: András Jóri
(8) ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
I. Preliminary remarks
Processor, acting on behalf of the controller, is one of the main actors of data protection law. As opposed to the controller, a concept defined by the elements of control and responsibility (Art. 4 (7)), the processor is the actor who carries out the actual processing on behalf of a controller; it is thus defined by its activity and its relationship whith the controller. In many cases, the controller carries out processing activities on its own behalf; in these cases, a separate “processor” is not present, its role is fulfilled by the controller. However, where processing activities are carried out by a separate party on behalf of the controller, this party will fall under the definition as set out by Art. 4 (8) GDPR and will qualify as a controller.
As to the activity of the processor, it is remarkable that the GDPR does not distinguish between the scope of processing activities that can be carried out by the controller and by the processor: both can be involved in the full scale of “processing” activities as defined by Art. 4 (2) GDPR. In some Member State laws preceding the GDPR, a separate definition was devoted to the activity of the processor, thus making it possible to the SA to give a restrictive interpretation as to what data processing activities can be delegated to a processor.
As to the relationship to other definitions as set out by Art. 4 GDPR, it is important to note that while the processor is not a “third party” under Art. 4 (10), it is a recipient according to Art. 4 (9), resulting in information having to be provided about them under Art. 13 and Art. 14.
II. Legislative history
Art. 2 lit. e DPD defined processor in the same way as the GDPR does (with minor stylistic differences). The definition made its way from the Comm-P to the final text of the GDPR without any changes.
III. Analysis
1. “Natural or legal person, public authority, agency or other body”
The wording of this part of the definition echoes that of the controller (→ Art. 4 (7) mn. 3 et seq.). According to the Board, this means that “there is in principle no limitation as to which type of actor might assume the role of the processor. It might be an organisation, but it also might be an individual”. Still, similarly to the case of controllership, a further question of whether a group of individuals not elevating to a level of “organisation” can act as a processor can be raised. While in the case of controller we find this theoretically possible, but not advisable (→ Art. 4 (7) mn. 5), in the case of processors such a scenario is more problematic, in the light of the obligations of the processor according to, e.g., Art. 28. These must be based ona contract or another legal act, which requires that the processor is capable of contracting under applicable contract law; the obligations are also of a very technical nature to the level that they cannot realistically be fulfilled by an informal group of individuals.
[…]