The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

      For a controller to use a processor, it must ensure that the processor can meet the requirements stated in Art. 28 GDPR. This means that the controller, for example, only could choose a processor that can guarantee to implement appropriate technical and organisational measures in such manners that the processing still meets the requirements of GDPR.

      The controller must also ensure that a data processing agreement between them and the processor are being signed. The agreement needs to comply with the requirements stated in Art. 28 (3).