What is a data processor in email marketing?

A data processor is an organization that processes personal data on behalf of and under the instructions of a data controller. In email marketing contexts, the most common processor is your Email Service Provider (ESP)-they store your subscriber data, send emails on your behalf, track engagement, and manage unsubscribes, all according to your instructions. They don't independently decide how to use your subscriber list; they execute your campaigns as you direct. This instruction-bound relationship is what distinguishes processors from controllers.

Beyond ESPs, other common processors in email marketing include: CRM platforms that store and manage subscriber data, analytics providers that process engagement data, data enrichment services that enhance subscriber records, deliverability monitoring tools that analyze sending patterns, and marketing automation platforms that orchestrate email sequences. Any third party that handles your subscriber personal data in support of your operations, under your direction, is likely a processor requiring appropriate contracts and oversight.

The processor designation carries specific legal obligations. Under GDPR Article 28, you (as controller) must only use processors that provide sufficient guarantees of compliance, must have a written contract (the Data Processing Agreement) governing the relationship, and must ensure processors don't engage sub-processors without your authorization. Processors must process data only on your instructions, implement appropriate security, assist with compliance obligations, and return or delete data upon contract termination. Your processor is an extension of your data handling-choose them carefully, contract with them properly, and oversee them appropriately.