Article 4 paragraph 8 GDPR:
”Data Processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;”
The recitals often refer to “the controller or the processor” who must comply with the rules. Recital 146 is noteworthy”The controller or data processor must make good any damage that a person may suffer as a result of processing that infringes this Regulation. The controller or data processor should be released from liability if it proves that it is not responsible for the damage.” There is a network liability of controllers or the (sub) data processors.
Article 24 et seq. GDPR: controller and processor.
…”the controller (takes) appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation.”, Article 24 paragraph 1 GDPR.
…”the controller (shall) only use processors that provide adequate guarantees regarding the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and the protection of the rights of the data subject is ensured .“, Article 28 paragraph 1 GDPR.
Examples of processors: it is often an external organization that processes personal data on behalf of the controller. Think of: cloud service provider, internet service providers, payroll processor and outsourced administrations, partnerships and other related parties.