Often a third party, data processors enact the decisions made by data controllers. Article 4 defines processors as:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
As they donāt dictate the nature of processing, data processors hold less responsibility compared to data controllers. However, they are still held to a fairly strict set of guidelines, outlined by GDPR Article 28.
Though not an exhaustive list, these guidelines dictate that:
For a full list of data processor requirements, check out Article 28.