What Is Data Processor?
Data Processor is a term used in the recruitment and staffing industry.
TL;DR
A data processor is an entity that processes personal data on behalf of a data controller, under the controller's instructions, and for the controller's purposes. In recruitment, the vendors handling candidate data — ATS platforms, background check firms, assessment tools — are typically processors. The distinction matters because processors carry specific GDPR obligations and cannot use the data for their own ends.
What Makes Something a Processor
Processing data on behalf of someone else, under their instructions, is the core of processor status. Article 4(8) of the GDPR defines the processor as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. The critical element is that the processor acts under the controller's instructions and has no independent discretion over the purpose of the processing.
A payroll software vendor that processes employee salary data on instruction from the employer is a processor. An ATS that stores, organises, and surfaces candidate applications for the employer is a processor. A background check firm that receives candidate data from the employer and returns a report is a processor.
What a processor cannot do is use the data for its own purposes. If an ATS vendor trains machine learning models on candidate data from its clients without their instruction or knowledge, that activity is outside processor status — the vendor has become a controller for that specific use, with all the GDPR obligations that follow. Several enforcement actions in Europe have turned on exactly this distinction.
Processor Obligations Under the GDPR
Processors are not passive conduits. The GDPR imposes direct obligations on processors, not just on controllers. These include: processing data only on documented instructions from the controller; ensuring confidentiality obligations bind all staff with access; implementing appropriate technical and organisational security measures; not subcontracting to other processors without the controller's authorisation; assisting the controller in fulfilling data subject rights requests; deleting or returning data at the end of the processing relationship; and providing audit cooperation.
The requirement for a written Data Processing Agreement (DPA) between controller and processor is mandatory under Article 28. The DPA must specify the subject matter and duration of processing, the nature and purpose, the type of personal data and categories of data subjects, and the processor's specific obligations. Standard DPAs published by major cloud vendors (Google, AWS, Microsoft) are usually GDPR-compliant, but employers should still review them.
Processors can face direct regulatory fines. The GDPR allows supervisory authorities to fine processors directly for violating their specific obligations — up to €10 million or 2% of global annual turnover.
Why It Matters for Recruitment
Every technology vendor in the recruitment stack needs to be assessed for processor status and covered by a DPA. ATS providers, video interviewing platforms, skills assessment vendors, reference checking tools, background check firms, and even email marketing platforms used for candidate outreach all handle candidate personal data and are almost certainly processors.
Employers who skip DPAs are in breach of GDPR regardless of any other compliance efforts. Data Protection Authorities in the UK and EU have issued fines specifically for missing or inadequate DPAs — this is an auditable item.
The sub-processor chain also matters. If your ATS runs on AWS infrastructure, AWS is a sub-processor. The ATS vendor must have a DPA with AWS, and your DPA with the ATS vendor should authorise the use of AWS as a sub-processor. Most major vendors handle this automatically, but enterprise security reviews often check the sub-processor list.
In Practice
A recruiting team uses three tools: an ATS for application management, a video interview platform for screening, and a background check vendor for final-stage candidates. The company (controller) must have signed DPAs with all three vendors (processors). The background check vendor also uses a credit bureau as a sub-processor — the background check firm must have its own agreement with the credit bureau, and the employer's DPA should confirm sub-processing is authorised. When a candidate submits a subject access request, the employer must compile data from all three systems and respond within 30 days.
Key Facts
| Concept | Definition | Practical Implication |
|---|---|---|
| Data processor | Processes personal data on behalf of a controller, under their instructions | ATS vendors, background check firms, assessment platforms are usually processors |
| No independent purpose | Processor cannot use data for its own ends | Vendors training models on client data without instruction become controllers for that use |
| Data Processing Agreement | Mandatory written contract between controller and processor | Required under Article 28 — no DPA means GDPR breach regardless of other compliance |
| Sub-processor | Third party engaged by a processor to carry out processing | Must be authorised by controller; processor must have their own DPA with sub-processor |
| Direct GDPR obligations | Processors can be fined directly by supervisory authorities | Up to €10M or 2% of global annual turnover for processor-specific violations |
| Security measures | Processors must implement appropriate technical and organisational measures | Required regardless of controller's own security posture |
| Audit cooperation | Processors must assist controller with compliance demonstration | Controllers have the right to audit processors or [commission](/glossary/commission) third-party audits |