Data Processor

From Justice Definitions Project

A Data Processor is anybody that is acting on behalf of a “Data Fiduciary” i.e. a professional who works with big data, or information related to a person’s location, behaviors and internet browsing habits. Data processors, working either as a third-party processor or part of a company or organization, provide administrative support for organizing, transferring, processing, and storing data. A data processor’s specific duties may vary depending on the industry in which they work.

Data Processors must follow the set of specific instructions provided by a data controller. A data controller is a company, organization, or individual who makes the decision to collect certain datasets. Data controllers also formulate the purpose for collecting the data and how the data will be processed and used. Then, the data controller gives the data processor access to the data, and the data processor performs the actual processing. Data processor is an entry-level position that can eventually lead to a data controller role.

Term as defined in legislation

According to the Digital Personal Data Protection Act, 2023's Section 2(k), a Data Processor is any person who processes personal data on behalf of a Data Fiduciary. The term “Processing” refers to automated or semi-automated operations performed on digital personal data, including collection, recording, organization, storage, adaptation, retrieval, sharing, restriction, or deletion.[1]

In India’s Information Technology Act, 2000 (IT Act, 2000), data processors are defined as “Intermediaries” under Section 2(w). An intermediary is any entity that receives, stores, or transmits data on behalf of another entity. This broad definition includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.[2]

Legal provision(s) related to term

Section 2(x) of the Digital Personal Data Protection Act, 2023 defines the term “Processing” as—

“Processing” in relation to personal data, means a wholly or partly automated operations or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use , alignment or combination, indexing , sharing, disclosure by transmission, discrimination or otherwise making available, restriction, erasure or destruction."

Section 2(i) defines Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."

Personal Data is defined in Section 2(t) as "any data about an individual who is identifiable by or in relation to such data."

Terms as defined in official government report

The term "data processor" was initially referred to as an "intermediary" in sub-section (w) of clause (1) of section (2) of the Information Technology (IT) Act, 2000. This legislation was India’s first attempt at regulating the digital space. However, the rapid advancements in technology and the increasing concerns regarding cybercrime and data protection necessitated a revision of the legal framework. Consequently, the 2008 amendment to the IT Act introduced key provisions addressing issues such as data security, cybercrime, electronic signatures, and intermediary liability. This amendment was a significant step in aligning India's legal system with the evolving digital landscape, recognizing the need for a more comprehensive approach to data governance.

In 2017, the Government of India constituted the AP Shah Committee, officially known as the Committee of Experts on Privacy, to examine various aspects of data protection in the country.[3] The following year, the B.N. Srikrishna Committee submitted its report, which laid the foundation for the draft Personal Data Protection Bill, 2018. The committee, in collaboration with legal experts and law firms such as Trilegal, contributed insights on defining the roles and responsibilities of data processors. Through extensive discussions and consultations, the bill refined the conceptual understanding of data processors, ensuring that their obligations were clearly outlined in the proposed data protection framework.[4]

The Srikrishna Committee’s report played a pivotal role in shaping the draft Personal Data Protection Bill, 2018, particularly in defining and regulating data processors. Under the bill, a data processor is described as an entity that processes personal data on behalf of a data controller, strictly following the controller's instructions and adhering to prescribed data protection regulations. This definition reinforced the fundamental distinction between data controllers and processors, ensuring that each entity's responsibilities were clearly demarcated within India's data protection regime.

The Personal Data Protection Act, 2018, introduced a key provision that stated: “Where a person, who by virtue of the operation of this Part is a processor of personal data, when purporting to act as such a processor, determines the purpose and means of the processing of the data, the obligations that are placed on a controller under this Part shall apply thereafter to the person as though the person were a controller of the data.” This provision underscored that a processor who assumes control over data processing decisions would be treated as a controller under the law, ensuring accountability in data handling practices.

Subsequently, the Personal Data Protection Act, 2019, further elaborated on the role of data processors, stating that “Data processors are persons that are involved in the processing of personal data, including activities such as collection, recording, organization, storage, etc. or otherwise making available, restriction, erasure, or destruction, who do such processing on behalf of the data fiduciaries.” This definition reinforced the idea that data processors act under the directives of data fiduciaries and do not independently determine the purpose or means of data processing.

In the draft bill and the subsequent Joint Parliamentary Committee (JPC) report, a data processor was consistently defined as an entity that processes personal data on behalf of a data controller while adhering to data protection regulations. The bill also outlined specific obligations of data processors, including their compliance responsibilities and the limitations on their authority in processing personal data. The focus remained on ensuring that data processors operate within a legal framework that safeguards individuals’ privacy while supporting lawful data processing activities.

The Digital Personal Data Protection (DPDP) Bill, 2022, further refined the definition of data processing. It described processing as a wholly or partially automated operation, or a set of operations, performed on digital personal data. This included collection, storage, use, and sharing of data, ensuring a broad and comprehensive regulatory scope. A key provision of the bill emphasized consent, stating that personal data may be processed only for a lawful purpose after obtaining the individual's explicit consent. This provision underscored the fundamental principle of data protection—ensuring that individuals retain control over how their personal data is used.

The DPDP Act, 2023, introduced a shift in terminology, referring to data processors as “Data Fiduciaries.” Under this framework, a data fiduciary is defined as any person or group of persons who determine the purposes and means of processing personal data. This new terminology emphasized the fiduciary duty of data processors, highlighting their responsibility in ensuring ethical and lawful data processing practices.

INTERNATIONAL EXPERIENCE

OECD Privacy Framework

The OECD Privacy Framework provides guidance on the roles and responsibilities of data processors. Specifically, the revised OECD Privacy Guidelines introduced the concept of "privacy management programs" that data controllers should implement. These programs should include provisions for sub-contracting and a structured process for conducting audits. The supplementary explanatory memorandum highlights that privacy management programs must reflect not only the OECD Privacy Guidelines but also other legal sources, such as domestic laws, international obligations, self-regulatory programs, or contractual provisions. This approach underscores the OECD Privacy Framework’s recognition of the significance of data processors and the necessity for data controllers to maintain appropriate oversight over data processing activities, whether conducted internally or by third-party processors. The framework encourages accountability and transparency in handling personal data, including within sub-contracting arrangements.[5]

APEC/Global CBPR System

The APEC/Global Cross-Border Privacy Rules (CBPR) System focuses on data processors and controllers by offering certifications that demonstrate compliance with internationally recognized data privacy standards. The APEC CBPR System is designed for organizations (data controllers) that manage personal data, whereas the Privacy Recognition for Processors (PRP) System is intended for organizations (data processors) handling data on behalf of data controllers. Both certifications aim to establish a network of accountable organizations within APEC economies, facilitating trusted cross-border data flows. These certifications provide organizations with several benefits, including reduced compliance costs, enhanced trust with consumers, regulatory assurance, and recognition by enforcement authorities.[6]

European Union Charter

The European Union’s General Data Protection Regulation (GDPR) establishes data protection as a fundamental right for EU citizens.[7] Key aspects of the regulation include its extraterritorial applicability, meaning that it applies to any organization processing the personal data of individuals located in the EU, regardless of the organization's physical location. The GDPR defines "personal data" broadly, covering any information related to an identified or identifiable natural person. It applies to both data controllers (entities that determine the purpose of data collection) and data processors (entities that process data on behalf of controllers). Article 8 of the EU Charter of Fundamental Rights explicitly enshrines the right to data protection, further reinforced by Article 16 of the Treaty on the Functioning of the European Union. To ensure consistent enforcement, each EU member state has an independent supervisory authority that cooperates under the European Data Protection Board (EDPB).[8]

EU International Convention 108+

The EU International Convention 108+, an updated version of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, is a significant international treaty modernizing global data protection laws.[9][10] Convention 108+ aligns closely with GDPR principles and has played a crucial role in shaping data protection regulations worldwide. It mandates that participating countries establish independent supervisory authorities to enforce data protection effectively. The convention emphasizes principles such as lawful and fair data processing, purpose limitation, proportionality, transparency, privacy by design and by default, data security, and risk management. Convention 108+ has influenced both regional and national legislation beyond the EU, ensuring a balanced approach that facilitates international acceptance while maintaining legal enforceability.[11]

CCG-UNDP Guide

The CCG-UNDP Guide on data processors clarifies their roles and responsibilities within data protection frameworks. According to the guide, data processors are entities that conduct data processing on behalf of a data controller and must comply with stringent security measures. While the GDPR, OAS Principles, and Convention 108+ explicitly define data processors, other frameworks like the African Union (AU) Convention and the HIPCAR Privacy Framework refer to processors indirectly. The guide asserts that data processors must strictly follow the controller's instructions and comply with established legal frameworks. If a processor exceeds these instructions by determining its own purposes and means of processing, it is classified as a data controller and subjected to the corresponding responsibilities and liabilities.[12]

INTERNATIONAL DOMESTIC LAWS

European GDPR & the EULED

The General Data Protection Regulation (GDPR) is a landmark legislation that updated and unified data privacy laws across the European Union (EU). Approved by the European Parliament on April 14, 2016, it became effective on May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR applies to all organizations that collect personal data from any EU citizen, irrespective of the organization's geographical location. It establishes three key roles in personal data governance: data subjects (individuals who own personal data), data controllers (entities that determine the collection and use of data), and data processors (entities processing data on behalf of controllers). In the event of a data breach, the GDPR mandates that data controllers notify supervisory authorities within 72 hours and inform affected individuals directly. Additionally, the GDPR has extraterritorial reach, meaning that non-EU organizations offering goods or services to EU individuals or monitoring their behavior are subject to its provisions. The European Data Protection Board (EDPB) ensures consistent application of data protection rules across the EU and EEA.

One key distinction between the Digital Personal Data Protection Act (DPDPA) and GDPR is that the DPDPA focuses on regulating only "digital personal data," whereas the GDPR applies to all personal data, whether digital or non-digital. Specifically, the DPDPA governs personal data collected in digital form or personal data that has been digitized after collection. In contrast, the GDPR covers all types of personal data, including non-digital forms. Additionally, the DPDPA excludes publicly available personal data from its scope, whereas the GDPR continues to protect such data.

European e-Privacy Directive

The European e-Privacy Directive imposes specific obligations on data processors regarding the processing of personal data in the electronic communications sector. It requires data processors to implement security measures, notify authorities of breaches within 24 hours, and inform users if their data privacy is compromised. Additionally, it mandates confidentiality in communications over public networks, prohibits unauthorized surveillance or interception, and requires traffic data to be erased or anonymized once it is no longer needed. The directive places significant emphasis on obtaining user consent before sending unsolicited communications, storing cookies, or accessing stored data on users' devices. Its primary goal is to protect individuals’ privacy while ensuring secure processing of personal data in digital communications.[13]

UK GDPR & UK Data Reform Bill

The UK GDPR and the UK Data Protection and Digital Information Bill aim to reform data protection regulations in the UK. The new bill will replace the UK GDPR, introducing a streamlined data protection regime with features such as reduced administrative burdens, greater flexibility in data transfers, enhanced individual rights, and the establishment of a new regulatory authority, the Information Commissioner. The bill applies not only to UK-based organizations processing personal data but also to foreign entities handling data belonging to UK residents. It seeks to simplify compliance for businesses while aligning with global data protection standards.[14][15]

Singapore PDPA

The Singapore Personal Data Protection Act (PDPA) defines data processors as "data intermediaries," referring to organizations that process personal data on behalf of another entity but excluding an employee of that entity. This definition closely mirrors that of a "data processor" under the GDPR. Under the PDPA, organizations must appoint a Data Protection Officer (DPO) and implement robust security measures. Data intermediaries are required to comply with specific obligations, such as the Protection Obligation and Retention Limitation Obligation. Additionally, the PDPA mandates that organizations transferring personal data outside Singapore ensure that it receives a comparable level of protection.[16]

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) does not explicitly define "data processors," instead referring to them as "service providers" that process information on behalf of a business. A service provider under the CCPA is a for-profit legal entity that processes personal data for a business and is contractually restricted from using the data for purposes other than those specified in the contract. Businesses are required to enter into written agreements with service providers, explicitly prohibiting them from selling personal information or using it for unauthorized purposes. Unlike the GDPR, which defines a data processor as any entity processing data on behalf of a controller, the CCPA focuses more on contractual obligations rather than imposing GDPR-level compliance on service providers.[17]

APPEARANCE OF DATA PROCESSOR IN DATABASE

Data in its raw form is not useful to any organization. Data processor is the method of collecting raw data and translating it into usable information. It is usually performed in a step-by-step process by a team of data scientists and data engineers in an organization. By converting the data into readable formats like graphs, charts, and documents, employees throughout the organization can understand and use the data.

Six stages of data processing include

  1. Data collection
  2. Data preparation
  3. Data input
  4. Processing
  5. Data output/ Interpretation
  6. Data storage

CHALLENGES

In data governance, the roles of a data controller and a data processor are distinct but interdependent. A data controller—which could be a company, organization, or individual—decides to collect certain datasets, determines the purpose of collection, and outlines how the data will be processed and used. Once these decisions are made, the controller provides the data processor with access to the data, enabling the processor to carry out the actual processing tasks.

A data processor is responsible for handling personal data strictly according to the instructions set by the data controller. This role is often considered an entry-level position that, with experience, can lead to responsibilities akin to those of a data controller. To enhance clarity, it is useful to distinguish between a data fiduciary and a data processor:

  • A data fiduciary refers to any person or entity that determines the purpose and means of processing personal data, either independently or in conjunction with others.
  • A data processor, on the other hand, processes personal data solely on behalf of a data fiduciary and does not determine the purpose or means of processing.

Data processors often seek to maintain their distinct identity, as data fiduciaries bear more extensive legal obligations to ensure compliance with data protection laws. Conceptually, a data fiduciary should be held responsible for improper data processing by a processor only when it exercises a significant degree of influence or control over the processor’s actions.

Determining whether an entity acts as a data controller (or fiduciary) or a processor depends on the purpose and means test. If an organization decides why and how personal data should be processed, it is classified as a data controller. The responsibilities of a processor toward a controller must be explicitly outlined in a contract or another legally binding document.

Despite regulatory frameworks, data processors encounter several challenges in their operations:

  1. Legal Compliance – Keeping up with evolving data protection laws across different jurisdictions and ensuring compliance with diverse legal requirements.
  2. Security Risks – Preventing unauthorized access, data breaches, and cyber threats, which pose significant risks to personal and sensitive data.
  3. Lack of Clear Guidelines – Navigating the complexities of intermediary liability, particularly in cases where responsibilities between controllers and processors are not well-defined.
  4. Technological Adaptation – Keeping pace with rapid advancements in AI, blockchain, and cloud computing while ensuring compliance with data protection principles.

Data processors frequently engage in activities such as providing IT solutions, including cloud storage services. Importantly, a data processor can only subcontract its tasks or appoint a joint processor with the prior written authorization of the data controller. This ensures accountability and compliance with legal frameworks governing data protection.

WAY AHEAD

Data processor way ahead have a bright future with new technology and techniques being available. By staying up to date with the development in data processor functioning, businesses can ensure that they are able to process and analyse data quickly and effectively in order to stay competitive. As data continues to grow exponentially, to keep up with the increasing volume and complexity of data , data processors are turning to innovate solutions that leverage artificial intelligence and machine learning (ML).

These technologies will enable the data processors to automate repetitive tasks, identify patterns and trends and make predictions based on historical data. By harnessing the power of AI and ML , data processors can process large amounts of data more quickly and accurately, leading to improved decision making and greater insights.

  1. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
  2. https://www.indiacode.nic.in/handle/123456789/1999
  3. https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf
  4. https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy
  5. https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
  6. https://www.pdpc.gov.sg/help-and-resources/2021/10/apec-cross-border-privacy-rules-and-privacy-recognition-for-processors-systems
  7. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
  8. https://www.law.cornell.edu/wex/eu_data_privacy_laws
  9. https://www.coe.int/en/web/data-protection/convention108-and-protocol
  10. https://usc-word-edit.officeapps.live.com/we/wordeditorframe.aspx?ui=en-US&rs=en-US&wopisrc=https%3A%2F%2Fmy.microsoftpersonalcontent.com%2Fpersonal%2F088b774e1c6cb354%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F411532175fbd4e9bb70d9ba0d6d62542&wdenableroaming=1&mscc=0&wdodb=1&hid=0Q3AKPrI8UW8iNk2SGkGrQ.0.0&sc=%7B%22pmo%22%3A%22https%3A%2F%2Fonedrive.live.com%22%2C%22redeem%22%3A%22aHR0cHM6Ly8xZHJ2Lm1zL3cvYy8wODhiNzc0ZTFjNmNiMzU0L0VSY3lGVUc5WDV0T3R3MmJvTmJXSlVJQm00WGhrTFVDcmU0MnJTc3F5VWZrMVE_ZT16TjMxRmw%22%7D&wdo=2&uih=onedrivecom&jsapi=1&jsapiver=v2&corrid=e28967cb-0001-40da-b946-efefc2d63e77&usid=e28967cb-0001-40da-b946-efefc2d63e77&newsession=1&sftc=1&uihit=editaspx&muv=1&cac=1&sams=1&mtf=1&sfp=1&sdp=1&hch=1&hwfh=1&dchat=1&ctp=LeastProtected&rct=Normal&wdorigin=Other&instantedit=1&wopicomplete=1&wdredirectionreason=Unified_SingleFlush#_ftn7
  11. https://usc-word-edit.officeapps.live.com/we/wordeditorframe.aspx?ui=en-US&rs=en-US&wopisrc=https%3A%2F%2Fmy.microsoftpersonalcontent.com%2Fpersonal%2F088b774e1c6cb354%2F_vti_bin%2Fwopi.ashx%2Ffiles%2F411532175fbd4e9bb70d9ba0d6d62542&wdenableroaming=1&mscc=0&wdodb=1&hid=0Q3AKPrI8UW8iNk2SGkGrQ.0.0&sc=%7B%22pmo%22%3A%22https%3A%2F%2Fonedrive.live.com%22%2C%22redeem%22%3A%22aHR0cHM6Ly8xZHJ2Lm1zL3cvYy8wODhiNzc0ZTFjNmNiMzU0L0VSY3lGVUc5WDV0T3R3MmJvTmJXSlVJQm00WGhrTFVDcmU0MnJTc3F5VWZrMVE_ZT16TjMxRmw%22%7D&wdo=2&uih=onedrivecom&jsapi=1&jsapiver=v2&corrid=e28967cb-0001-40da-b946-efefc2d63e77&usid=e28967cb-0001-40da-b946-efefc2d63e77&newsession=1&sftc=1&uihit=editaspx&muv=1&cac=1&sams=1&mtf=1&sfp=1&sdp=1&hch=1&hwfh=1&dchat=1&ctp=LeastProtected&rct=Normal&wdorigin=Other&instantedit=1&wopicomplete=1&wdredirectionreason=Unified_SingleFlush#_ftn8
  12. https://www.undp.org/sites/g/files/zskgke326/files/2023-04/UNDP%20Drafting%20Data%20Protection%20Legislation%20March%202023.pdf
  13. https://www.edps.europa.eu/data-protection/data-protection/glossary/e_en#e-privacy_directive2009-136-ec
  14. https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/
  15. https://bills.parliament.uk/bills/3430
  16. https://sso.agc.gov.sg/Act/PDPA2012
  17. https://oag.ca.gov/privacy/ccpa
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Processor&oldid=4419"