2. A processor acts on behalf of the controller

Even though the controller determines the purposes and means of processing personal data, it does not necessarily do all of the processing itself. A person or organisation processing personal data on behalf of and according to the instructions of the controller is called a ‘processor’ of personal data. For example, the provider of membership registry software acts as a processor on behalf of the hobby organiser.

The processor can be a company, private entrepreneur, authority, or association. Individual employees of the controller who process personal data as part of their duties are not processors in this sense.

Processors can include IT service providers with access to the controller’s personal data. The duties of processors can be very specific, such as outsourced mail delivery. But they can also be broad in scope, such as managing a service for another organisation or the payment of salaries.

A processor may only process personal data for the purposes defined by the controller. It cannot start processing that data for its own purposes.

It is essential for the hobby organiser to identify the parties processing its personal data and ensure that a processing agreement has been signed with them.

More information on the contents of a processing agreement is available later in the guide.

Example

A football club has purchased an application from IT provider Corner Kick Ltd in which its players register for training. Corner Kick Ltd has access to the players’ and coaches’ personal data in the application. Corner Kick Ltd provides the registration service through the application and processes the football club’s personal data on behalf of the club and according to its instructions. Therefore, Corner Kick Ltd is the processor of the personal data processed in the registration app, and the football club is the controller.

Remember

The processor processes personal data on behalf of the controller and according to its instructions.