A Processor handles personal data on behalf of, and under the documented instructions of, a Controller. Typical examples: payroll providers, cloud hosting platforms, analytics vendors, customer-support tooling, CRM systems. The Processor does not decide why the data is being processed — that is the Controller's role — but it carries direct legal obligations of its own under GDPR Article 28 and the CCPA's service-provider provisions.
Those obligations include processing only on documented instructions, ensuring confidentiality, implementing appropriate security, engaging sub-processors only with prior authorization, assisting the Controller with rights requests and breach notifications, and deleting or returning data at the end of the engagement. A Data Processing Agreement (DPA) is the contract that codifies all of this.
Distinguishing Controller from Processor is a recurring source of compliance error. The line is determined by who actually decides the purposes and means of processing, not by what the contract calls each party. A SaaS vendor that aggregates client data for its own analytics quietly slides from Processor into Controller territory — triggering a different set of obligations that the original DPA may not cover.