What Is a Data Processor Under GDPR? A Guide For Australian Businesses

If you work with European customers or partners, you’ve likely heard of the General Data Protection Regulation (GDPR). It’s one of the world’s toughest privacy laws, and it can apply to Australian businesses in certain situations.

A common question we hear is: am I a “data processor” under GDPR? And if so, what do I actually need to do?

In this guide, we’ll explain what a data processor is, when GDPR applies to Australian businesses, the key duties processors must meet, and the documents you’ll want in place to manage risk. We’ll also touch on how GDPR compares to Australia’s privacy laws so you can confidently plan your compliance path.

Does GDPR Apply To Australian Businesses?

Yes-GDPR can apply to Australian businesses even if you have no office in Europe. You’ll generally have obligations if you:

• Offer goods or services to people located in the European Union (paid or free), or
• Monitor the behaviour of people in the EU (for example, through tracking, profiling or behavioural advertising).

This is about the location of the individual at the time of data collection, not their citizenship and not where your business is based. If you’re targeting or tracking EU-based individuals, GDPR may be in scope.

Plenty of Australian companies fall into this bucket-think SaaS providers, e‑commerce stores, marketing agencies, cloud hosts, analytics firms and managed service providers. If you’re unsure, it’s worth speaking with a data privacy lawyer early so you can scale globally with confidence.

What Is A Data Processor (And How Is It Different From A Controller)?

Under GDPR, roles matter. Understanding them helps you work out your responsibilities.

A data controller decides the “why” and “how” of processing personal data. A data processor acts on the controller’s behalf to carry out processing-but does not determine the purpose or essential means.

• Controller: Sets the purposes and overall means (e.g. “send promotional emails to customers every month”).
• Processor: Processes personal data under the controller’s documented instructions (e.g. runs the email platform, stores the lists, segments audiences).

These roles are determined by the real-world circumstances, not just what your contract says. You might be a controller for some activities (like your own HR data) and a processor for others (like client customer lists).

For example, an Australian marketing agency that executes campaigns for a European retailer will typically be a processor for the retailer’s customer data. But that same agency is a controller for its own CRM and payroll information.

Important clarification: the controller does not have to be EU-based for GDPR to apply. If the processing relates to offering goods/services to, or monitoring, EU individuals, GDPR can catch both controllers and processors outside the EU.

What Does A Data Processor Have To Do Under GDPR?

Being a processor isn’t just a label-it carries real legal duties. Here are the core obligations you should have on your radar.

Only Process Data On Documented Instructions

You must only process personal data on the controller’s documented instructions, including around international transfers. If you go beyond those instructions or repurpose data for your own aims, you’re likely acting as a controller (and taking on much greater risk).

Implement Appropriate Security Measures

Processors must implement appropriate technical and organisational measures to keep personal data secure. Think encryption, access controls, logging and monitoring, secure software development practices, and staff training.

It’s common to formalise these controls in an Information Security Policy and to build “privacy by design” into your systems and processes from the start.

Assist With Data Subject Rights

Individuals in the EU have strong rights under GDPR-access, rectification, erasure (often referred to as the right to be forgotten), restriction, portability and objection. As a processor, you must assist your controller client in responding to these requests within strict timelines, following their instructions.

Breach Notification (Notify The Controller Without Undue Delay)

If you experience a personal data breach, you must notify the controller without undue delay. The controller is responsible for any regulatory notifications, but they can’t act if you don’t alert them quickly.

Having a tested Data Breach Response Plan makes a big difference when minutes matter.

Maintain Records Of Processing (ROPA) Where Required

Processors may need to maintain records of processing activities (often called “ROPA”). While there are limited exemptions for organisations with fewer than 250 employees, those exemptions are narrow. You’ll still need records if processing is not occasional, involves special-category data or criminal data, or is likely to risk individuals’ rights.

In practice, many processors maintain a lightweight ROPA to document what they process, on whose behalf, where the data flows, and how it is protected.

Manage Sub‑Processors Properly

If you want to engage sub‑processors (for example, cloud hosting, email platforms, analytics providers), you must have the controller’s prior written authorisation-specific or general-and pass down equivalent obligations via a contract. Keep a current list of sub‑processors and notify the controller of changes in line with your agreement.

Support Impact Assessments And Audits

Controllers may need to conduct a Data Protection Impact Assessment (DPIA) or audit. As a processor, you must assist by providing necessary information about your systems, security measures and sub‑processors, within the boundaries of confidentiality and proportionality.

International Data Transfers

Cross‑border transfers are tightly regulated under GDPR. If you transfer personal data outside the EEA as part of your services, you must only do so on the controller’s documented instructions and using valid transfer mechanisms (for example, standard contractual clauses set up by the controller).

Appoint A Data Protection Officer (DPO) If Required

Some processors need to appoint a DPO-for example, if your core activities involve large‑scale monitoring of individuals or processing special‑category data at scale. Many Australian processors won’t meet this threshold, but it’s worth assessing given your services and client base.

Contracts And Documents Processors Should Have In Place

Your contracts and policies are the backbone of GDPR compliance. They clarify roles, allocate responsibilities and help you demonstrate accountability.

Data Processing Agreement (DPA)

A DPA is mandatory whenever you process personal data on behalf of a controller. It must be in writing and include specific GDPR terms-scope and duration, subject matter, instructions, confidentiality, security, sub‑processors, assistance with rights/ DPIAs/ breaches, deletion or return on exit, and audit rights. Many vendors build these terms into a standalone Data Processing Agreement or into their master service agreement via an addendum.

Main Services Agreement Or Terms

Your underlying client contract should align with the DPA, clearly identify each party’s role (controller vs processor), set service levels for privacy/security assistance, and describe any fees for extraordinary support (e.g. subject access support beyond a baseline).

Privacy Policy And Collection Notice

Even as a processor, you still handle personal information in Australia for your own business (think leads, payroll, support tickets). A clear, compliant Privacy Policy and, where relevant, a Privacy Collection Notice help you meet domestic obligations and build trust with customers and staff.

Security And Governance Documents

• Information Security Policy: Sets out how you protect data across people, process and technology-useful for tenders and controller due diligence. Link this with technical standards (access control, encryption, backups) and staff training. See Information Security Policy.
• Incident/Breach Procedures: Your Data Breach Response Plan should cover detection, containment, investigation, communication and lessons learned.

These documents don’t need to be complex; they need to be accurate, used in practice, and proportionate to the risk in your operations.

Practical Tips For Contracting As A Processor

• Make sure your service descriptions match reality-don’t promise security controls you don’t actually operate.
• Keep a current inventory of sub‑processors, regions and data locations to avoid surprises during due diligence.
• Build a playbook for handling rights requests and controller queries so you can respond within GDPR timelines.
• Agree sensible cost and scope boundaries for extraordinary assistance (e.g. large‑scale data export for portability).

Common Tricky Areas For Australian Processors

A few points often cause confusion. Here’s what to watch out for.

EU Representative And Local Presence

Some non‑EU controllers and processors need to appoint an EU representative if they’re in scope of GDPR. There are exceptions (e.g. purely occasional, low‑risk processing with no large‑scale special‑category data). Whether you need one depends on your specific activities and risk profile-don’t assume it’s automatic or that you’re exempt.

Who Is The Controller?

Controllers aren’t always the “customer” in your commercial relationship. If you re‑use or combine customer data to drive your own analytics or product features, you may be a controller for that stream. Be honest about who decides the purpose and essential means for each dataset.

Records Of Processing (ROPA) Exemptions Are Narrow

Small organisations sometimes believe they’re exempt from keeping processing records. In reality, many processors still need a ROPA because processing is ongoing, involves sensitive data, or presents potential risk. A concise, up‑to‑date register is usually worth maintaining.

International Transfers Happen Quietly

Check where your tools store backups, logs and support tickets. You may have transfers outside the EEA through sub‑processors you barely touch day‑to‑day (for example, email support systems). Make sure transfers are covered by the controller’s instructions and contractual mechanisms.

Retention And Deletion

Controllers decide how long data should be kept, but processors must implement it. Build deletion into your offboarding and backup workflows and align with your controller’s retention schedules. For your own Australian operations, it’s good practice to think about data retention laws in Australia as part of your broader compliance program.

How Does GDPR Interact With Australian Privacy Law?

Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs) regulate how many local businesses handle personal information. If you handle both EU and Australian personal data, you may need to comply with both regimes.

There’s overlap-transparency, security, access and correction-but also important differences. GDPR has stricter legal bases for processing and more expansive individual rights. The APPs have their own rules around overseas disclosures, notifiable data breaches and direct marketing. Planning for both sets of obligations from the start will save time and help you avoid re‑work.

At a minimum, make sure you have the right foundations for your Australian operations-clear notices, a user‑friendly Privacy Policy, and internal processes that are privacy‑by‑design. Then layer GDPR requirements on top for the specific processing you perform for EU‑linked clients or users.

Key Takeaways

• Under GDPR, a processor handles personal data on a controller’s documented instructions; the controller can be located anywhere, not just in the EU.
• Australian businesses fall within GDPR if they offer goods/services to, or monitor the behaviour of, individuals in the EU-even without a European office.
• Core processor duties include following instructions, implementing strong security, assisting with rights requests, rapid breach notification, maintaining appropriate records, and managing sub‑processors.
• Put robust contracts and policies in place, including a written Data Processing Agreement, a clear Privacy Policy, an Information Security Policy, and a tested Data Breach Response Plan.
• Don’t rely on broad exemptions-ROPA, EU representative and international transfer rules require a careful, fact‑specific assessment.
• If you handle EU and Australian data, plan for GDPR and the APPs together to avoid gaps and keep your compliance efficient.

If you’d like a consultation about GDPR processor obligations, contracts and privacy compliance for your business, you can reach Sprintlaw at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.