The data protection legislation applies to processors as well as controllers and processors are now subject to greater regulatory and judicial exposure.  

The Applied GDPR defines “processors” as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”. Processors can only process personal data on the written instructions of a controller (contract); if they process the personal data outside the instructions of a controller, the processor will be deemed to be a controller in its own right.

The legislation also applies to processors if they undertake processing on behalf of ANY controller (irrespective of the controllers jurisdiction) and that processing is 

“related to:

When are processors used?

It is common practice for a controller to engage a processor to process personal data on its behalf – for example, to take advantage of the processor’s expertise and experience in a particular type of processing operation.