What is a processor under GDPR?

GDPR Art. 4(8) defines processor as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller". Practical: parties that process data on your behalf — not for their own purposes. Examples: hosting provider (TransIP, Hetzner) hosting your customer data, email service (Mailchimp, MailerLite), payroll provider (Visma, Loket), SaaS CRM (HubSpot, Salesforce), cloud storage (Google Workspace, Microsoft 365), Stripe + Mollie for payments. NOT a processor: parties processing data for their own purposes — e.g. Dutch tax authority receiving your employee data (separate controller), Google Analytics in standard mode (Google sets its own purposes too). Since Schrems II + recent EDPB guidelines this distinction is sharp. Data Processing Agreement (DPA) required (Art. 28(3)) — written contract specifying instructions, security measures, sub-processors, GDPR-rights assistance, breach procedure. Working with a processor without a DPA = GDPR breach. Processor's own obligations: security measures, only act on instructions, report breaches to controller, assist with DPIAs, return/delete data at contract end. Liability: processors can also be fined (separately) — fines 2023-2025 against SaaS providers for missing DPAs or unreported sub-processors.