Data Processing on Behalf (Processor Relationship) 

Hardly any company today can operate without external service providers – whether for website hosting, payroll processing, or sending newsletters. In many cases, these service providers are granted access to personal data. This is exactly where a central concept of the General Data Protection Regulation (GDPR) becomes relevant: data processing on behalf (processor relationship).  

But when does such a relationship actually exist and when does it not? Many controllers are not fully aware of the distinctions. The result: legal risks, fines, or unnecessary effort. In this article, you will learn everything you need to know about the topic. 

You use external service providers and want to be on the safe side? Check now with // PRIMA whether your data processing agreements are GDPR-compliant—and avoid legal risks from the outset. Our all-in-one tool was developed by experts and enables an easy introduction to GDPR-compliant documentation through templates and tutorials. Request a 14-day free trial now. 

Who Is a Processor Within the Meaning of the GDPR? 

The GDPR defines the term “processor” in Art. 4 no. 8 GDPR. According to this, a processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. What is important here is that the processor does not decide independently on the purposes and means of the processing, but acts exclusively in accordance with the instructions of the controller. 

Typical examples include IT service providers, hosting providers, or external call centers. These companies provide the technical infrastructure or perform services – but they do not themselves decide what happens to the data. They merely carry out what the controller specifies. 

A processor therefore has a serving function. It is not the “master of the data,” but carries out the processing exclusively within the framework of instructions. This dependence on instructions is the key criterion for legal classification. 

In contrast stands the so-called controller within the meaning of Art. 4 no. 7 GDPR. This is the entity that decides on the purposes and means of the processing – for example, a company that uses customer data to perform contracts, or a doctor who processes patient data. 

Good to know 

A simple rule of thumb helps with the distinction: Whoever makes the decisions is the controller. Whoever merely processes data because someone else specifies it is the processor. 
This distinction is crucial because it determines who must fulfill which obligations under the GDPR. 

Obligations of the Controller in the Case of Processing on Behalf 

The GDPR places high demands on the controller- that is, the entity that decides on the purposes and means of data processing. Before personal data is transferred to a service provider, the controller must check whether the provider meets the requirements of the GDPR. According to Art. 28 para. 1 GDPR, only a processor may be engaged that provides sufficient guarantees that appropriate technical and organizational measures (TOMs) have been implemented. 

Once it has been established that a service provider acts as a processor, a data processing agreement (DPA) must be concluded with them – before the start of data processing. This agreement regulates the obligations of the processor and grants the controller rights of control. 

Good to know: Responsibility does not end with the conclusion of the contract. The controller is obliged to regularly monitor compliance with data protection requirements. This can be done through audits, technical checks, or evidence. Sub-processors of the processor must also be included. 

Obligations of the Processor 

The processor also bears specific obligations under the GDPR. These arise primarily from Art. 28 para. 3 GDPR, but also from other provisions such as Art. 29, Art. 32, and Art. 33 GDPR. The processor therefore acts on behalf – but not without responsibility. 

The most important obligation of the processor is to process personal data exclusively in accordance with the documented instructions of the controller. Independent decisions on the purposes or means of processing are not permitted. 

According to Art. 28 para. 3 lit. c GDPR, the processor is obliged to take appropriate technical and organizational measures (TOMs) to ensure an adequate level of data protection. These measures are based on Art. 32 GDPR and include, for example, pseudonymization and encryption, access controls, measures to ensure integrity and availability, or procedures for regularly reviewing data security. The implementation of these measures must be documented – such as through certifications or security reports. 

The processor must actively support the controller – for example, with requests from data subjects pursuant to Arts. 15–22 GDPR (e.g., access, erasure obligations, data portability). There is also a duty to cooperate in the notification of personal data breaches (Art. 33 GDPR) or in data protection impact assessments (Art. 35 GDPR). These support obligations must be expressly regulated in the data processing agreement. If the processor violates these obligations, it may also be held liable. 

When Does Processing on Behalf Exist (GDPR)? 

Processing on behalf exists whenever an external service provider processes personal data exclusively on behalf of a controller – and has no independent decision-making authority over the purposes and means of data processing. This requirement follows directly from Art. 28 para. 1 GDPR. 

This means that the mere transfer of data to third parties is not sufficient. What is decisive is who retains control over the data. If the service provider acts purely in a supportive role – for example, to enable certain processes within the company – and responsibility for the data remains entirely with the client, this strongly indicates processing on behalf. 

A classic example is the outsourcing of IT services. If an external provider stores a company’s customer data on its servers, but has no access to the content, pursues no own purposes, and strictly adheres to the company’s instructions, processing on behalf usually exists. 

The situation is different if the service provider itself decides for what purposes and how the data is used- for example, for its own purposes, for analysis, or for advertising. In this case, it is no longer processing on behalf, but rather independent controllership or – in some cases- joint controllership pursuant to Art. 26 GDPR. 

The key points at a glance: 

Processing on behalf exists if 

• a service provider processes personal data, 

• does so exclusively on behalf of a controller, and 

• does not pursue its own purposes with the processing. 

Examples of Processing on Behalf 

To recognize when processing on behalf exists, it helps to look at practice. Many business processes are outsourced today – and it is often not immediately clear whether this constitutes processing on behalf within the meaning of Art. 28 GDPR. The following examples illustrate typical cases in which a data processing agreement is required. 

Cloud Services and Web Hosting 

If a company stores personal data- such as data of customers or employees- with an external cloud provider or on hosted servers, this service provider usually acts as a processor. The same applies to providers of web hosting services if they have access to databases containing personal information. 

Email Marketing and CRM Systems 

Service providers that handle the sending of newsletters or provide a customer relationship management (CRM) system often process personal data on behalf (e.g., email addresses, purchase histories, user behavior). Here too, processing on behalf typically exists – especially if the data is processed solely on the instructions of the client. 

External Payroll Processing 

If a company outsources payroll accounting to an external service provider, employee data is regularly transferred – such as social security numbers, bank details, or tax classes. This processing is carried out on behalf of the company, making a data processing agreement (DPA) necessary. 

IT Support and System Administration 

If an external IT service provider is granted access to internal systems – for example, for remote maintenance or updates – this may also constitute processing on behalf. This is particularly the case if the access is not merely theoretical, but actively used or potentially involves personal data. 

Call Center Services 

The use of external call centers for customer support also often involves processing on behalf – for example, if the call center has access to customer data and provides telephone support in the name of the company. 

Conclusion 

Processing on behalf is one of the central areas of application of the GDPR- and at the same time a frequent risk factor in everyday business practice. Anyone who engages external service providers to process personal data must carefully examine the data protection role of the respective provider: processor, independent controller, or joint controller. 

Practice shows: clean documentation, clear contracts, and a precise delineation of roles are essential for legally secure cooperation. Those who review the issue at an early stage and implement it professionally significantly reduce legal risks—and strengthen the trust of customers, employees, and partners. 

Do you need help with GDPR matters? Data protection does not have to be a risk. Create GDPR-compliant documentation now with // PRIMA and keep track of all obligations in our all-in-one tool. Request a 14-day free trial now.