Data Processor
A data processor is an entity that processes personal data on behalf of and under the instructions of a data controller. In the context of political advertising, processors handle personal data for targeting or ad delivery purposes but do not decide how or why the data is used. The controller remains ultimately responsible for lawful processing.
Legal Basis
"Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
— Article 4(8), Regulation (EU) 2016/679 (GDPR)
While Regulation (EU) 2024/900 does not define data processor, it references data protection law and assigns specific obligations to controllers and processors when personal data is used for targeting political advertising online.
Why It Matters
Understanding the role of data processors is crucial for compliance with both the GDPR and the political advertising regulation. When a political party, campaign, or sponsor uses an online platform, ad-tech provider, or analytics firm to deliver targeted political ads, that provider typically acts as a processor. The sponsor or political actor remains the controller and must ensure the processor meets all legal requirements.
Processors must implement appropriate technical and organisational measures, assist controllers in meeting their obligations (such as responding to data subject requests), and process data only on documented instructions. They cannot use personal data for their own purposes. If a processor determines its own purposes for processing, it becomes a controller and assumes full responsibility under data protection law.
For political advertising, this distinction matters because targeting using personal data is heavily restricted under Chapter III of Regulation (EU) 2024/900. Controllers must ensure their processors comply with targeting limitations, consent requirements, and bans on using certain sensitive data categories.
Key Points
- Acts on instructions: Processors handle personal data only as directed by the controller; they cannot decide how or why data is processed.
- Remains accountable: Controllers are ultimately responsible for ensuring processors comply with GDPR and political advertising rules.
- Written agreements required: Controllers must have a contract or legal act in place with processors specifying processing terms, security measures, and obligations.
- Assists with compliance: Processors must help controllers respond to data subject rights requests, conduct impact assessments, and report data breaches.
- Can become a controller: If a processor determines purposes and means of processing, it is reclassified as a controller with full legal responsibility.
- Specific rules for targeting: When processors deliver targeted political ads online, they must comply with Chapter III restrictions and cannot use special category data for targeting purposes.
Data Processor vs. Data Controller
A data controller determines the purposes and means of processing personal data—deciding what data to collect, how to use it, and why. A data processor acts only on the controller's instructions and does not make those decisions.
In political advertising, a political party deciding to run a targeted ad campaign is the controller. The social media platform or ad-tech service delivering those ads according to the party's instructions is the processor. If the platform also uses the data for its own purposes (e.g., improving its recommendation algorithm), it acts as a controller for that separate purpose.
The distinction is critical because controllers and processors have different obligations under the GDPR, and liability for non-compliance ultimately rests with the controller.