The Data Processor
Data Processors take the data they are given by a Data Controller and do what the Data Controller told them to do with it.
The relationship between a Data Processor and a Data Controller is defined by a legal contract between the two parties.
If you are already a Data Controller, you will also be a Data Processor. You can process data yourself or you can outsource the processing. For example if you process credit card payments through a Payment Card service provider. They tell you what to do, you just do it.
Data Processing Contract
As a Data Processor you must confine your processing activity to what the contract specifies. If you go “off piste” and make your own decisions about what is done with the data you are given, then under GDPR your role will be redefined as a Data Controller. So not only will you be in breach of contract with the Data Controller you’re dealing with, you will also have a raft of new obligations.
From a hotel marketing point of view, you might want to send out your own direct marketing emails. In which case your doing the processing yourself. You could just as easily select a third party specialist service provider and use their email autoresponder system. In which case they provide the system, you put your data into it and decide what happens to it, they carry out that process on your behalf.
If a Data Breach occurs as part of the processing, the Data Processor is obliged to notify the Data Controller.
Similarly if there is a part of the processing specification which is not compliant with GDPR, the Data Processor should notify the Data Controller of the fact and retain a record that they did so.