Under the GDPR, every data controller that processes personal data through a data processor must conclude a GDPR-compliant data processing agreement with the processor