Under GDPR, a data processor is any organization that processes personal data on behalf of a data controller, following its instructions, under a contract that precisely governs this relationship.
The data controller remains liable for its processors' failures; selecting and contractually governing them is an integral part of GDPR compliance.
A company signs a GDPR data processing agreement with its cloud hosting provider, specifying security measures and the conditions for any further sub-processing.
Assess your organization's maturity on this topic
Start the diagnostic