A data processor is a person or organization that processes personal data on behalf of a data controller. Their role should be regulated in a so-called Data processing agreement (DPA) signed between the data controller and data processor.
Among other things, the data processor:
must have adequate information security measures in place
shouldn’t engage sub-processors without the prior consent of the controller
must cooperate with the authorities in the event of an enquiry
must report data breaches to the controller as soon as they become aware of them, without undue delay