A processor may make its own day-to-day operational decisions, but Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by EU or Member State law (in that case it must inform the controller of this legal requirement before the processing, unless that law prohibits it doing so on important grounds of public interest). This is also a required contract term under Article 28(3)(a).
If a processor acts outside of a controller’s instructions in such a way that it decides the purpose and means of processing, then it will be a controller and will have the same liability as a controller.
