A processor is the party that handles personal data on behalf of a controller, following the controller's documented instructions. GDPR Article 4(8) defines it as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
Most B2B SaaS vendors are processors with respect to the customer data their customers give them — the customer (controller) decided why the data is collected and what to do with it; the SaaS vendor is just running the system.
Direct obligations under GDPR
Pre-GDPR, processors had no direct regulatory duties — they were liable only via their contract with the controller. GDPR changed that. Processors now have several direct obligations regardless of what the DPA says:
- Article 28: must operate under a contract with the controller meeting specified terms.
- Article 30(2): must keep records of all categories of processing they carry out for controllers.
- Article 32: must implement appropriate technical and organisational security measures.
- Article 33(2): must notify the controller "without undue delay" of any personal data breach.
- Article 37: must appoint a Data Protection Officer if they fall within the criteria.
Failure to meet these can attract fines directly against the processor, separate from any controller liability.
When a processor becomes a controller
A processor that processes data for its own purposes (not the controller's) becomes a controller for that processing. Common examples:
- Aggregating customer data to publish industry benchmarks.
- Using customer data to train AI models for use across all customers.
- Cross-selling based on what they observed in the customer's account.
Each of these is a separate processing activity with its own lawful basis requirement, its own privacy notice, and its own data subject rights pathway. A vendor that does any of them is wearing two hats, and the line has to be clear in their privacy notice.