A data processor is an organisation that processes personal data on behalf of another organisation If the University passes personal data to a company or an organisation to carry out the University's work on the University's behalf and instructs this company or organisation on what should be done with that data and how to do this by means of a contract, then the receiving organisation is a data processor. The University will only be legally responsible for any breaches of data protection legislation by a data processor if no contract is in place, and if the University has not satisfied itself that the data processor has adequate security provisions in place. Example If information held in the University library database is passed to an information technology company to carry out maintenance tests, this is done so as a data controller-to-data processor transfer. This is because the University will retain control over the data and the purposes for which it is processed. If the University were not to retain control, this would be a data controller-to-data controller transfer.