Can a processor use sub-processors?

Only with the controller's prior written authorisation (general or specific). The processor remains liable for sub-processor compliance. For MICE, common sub-processors include catering subcontractors, AV providers, and on-property tech systems.

What's the processor's breach-notification obligation?

Under GDPR Art. 33(2), the processor must notify the controller 'without undue delay' after becoming aware of a breach — typically interpreted as within 24-72 hours. The DPA should specify the exact timing and notification channel.

Home › Glossary › GDPR Data Processor

Compliance

GDPR Data Processor — Plain English Definition + Examples

GDPR Data Processor is the natural or legal person that processes personal data on behalf of a controller, following the controller's documented instructions — for MICE events, this is usually the hotel handling attendee data on the buyer's behalf.

Definition

Under GDPR Article 4(8), a data processor is the natural or legal person that processes personal data on behalf of a controller, following the controller's documented instructions — for MICE events, this is usually the hotel handling attendee data on the buyer's behalf.

In day-to-day European MICE and procurement work, gdpr data processor sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner or procurement team can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real sourcing.

Why GDPR Data Processor matters

Processor status limits liability but adds operational obligations: the hotel must follow written instructions, implement appropriate security, notify breaches within 24 hours, allow audits, and use sub-processors only with the controller's permission. Getting these wrong creates direct hotel liability under GDPR.

The practical takeaway: planners and procurement teams who get gdpr data processor right typically see measurable improvements in either cost, risk exposure, or cycle time — sometimes all three. Teams who default to the supplier's standard language usually leave 5-15% of total event value on the table, often without realizing it. The skill is recognising gdpr data processor when it appears, knowing the market-standard range, and treating any deviation from that range as a negotiation point — not a take-it-or-leave-it.

Example

A hotel receives the rooming list (attendee names, dietary requirements) from the buyer. As processor, the hotel may use this data only for executing the buyer's event — not for marketing, loyalty enrolment, or sharing with third parties. The buyer's instructions are documented in the DPA.

This example is representative of mid-to-large European corporate MICE — pharma, finance, tech, professional services. Smaller events (under 50 attendees) and very large events (1,000+) often follow different conventions, but the underlying logic of gdpr data processor stays the same. The numbers move, the principle doesn't.

Where GDPR Data Processor appears in contracts

Processor obligations are codified in the GDPR Art. 28 DPA, which must be in place before any data is shared. Without a DPA, both parties are exposed to regulator action — the controller for failing to ensure processor compliance, the processor for unlawful processing.

When reviewing a hotel proposal or contract draft, scan for gdpr data processor early — it's often easier to negotiate before the supplier has anchored on their preferred position. Easy RFP surfaces these terms in every comparison view so planners can spot deviations from market-standard ranges at a glance, rather than reading 14-page proposals line by line.

Related terms

Deeper reading

Related guides on the blog

Put this into practice

Easy RFP builds gdpr data processor thinking into every hotel RFP — so you negotiate from data, not from memory.

Audit your DPAs →