Article 4 (10). GDPR. Third Party

Author: András Jóri

(10) ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

I. Preliminary remarks

Third party is a technical term defined by the GDPR to be used to determine whose interests are relevant if the processing is carried out on the legal basis of a legitimate interest of a third party (→ Art. 6 para. 1 lit. f mn. 51).

II. Legislative history

Art. 2 lit. f DPD contained a definition of the third party almost identical with that of the GDPR, with only stylistic differences. The DPD used the term regarding legal bases regulated in its Art. 7 lit. e and lit. f. The Comm-P omitted the definition, and remarkably also would have limited the use of the “legitimate interest” legal basis to that of the controller. At the same time the Comm-P used the term “third party” in the context of the right to be forgotten (the controller had to inform “third parties” about data subject requests regarding erasure). The final text returned to the solution of the DPD regarding the definition and the legal basis currently in Art. 6 para. 1 lit. f and omitted the term from the provisions guiding the right to erasure (with Art. 17 para. 2 of the GDPR using “controller” and Art. 19 using “recipient”). Finally, the legal basis currently set out by Art. 6 para. 1 lit. e GDPR can be used only if the processing is necessary for the task carried out in the public interest or in the exercise of official authority “vested in the controller”, which is the solution proposed by the Comm-P – the DPD, in its Art. 7 lit. e used the text “vested in the controller or in a third party to whom the data are disclosed”.

III. Analysis

1. The role of the definition in the Regulation

The term “third party” is used by the GDPR in the context of the lawfulness of processing. According to Art. 6 para. 1 lit. f, legitimate interest of a third party can serve as a legal basis of data processing. The text is using the term when referring to Art. 6 para. 1 lit. f when setting out provisions on the right of information (information shall be provided to the data subject on the legitimate interest pursued by the controller or by a third party according to Art. 13 para. 1 lit. d (→ Art. 13 mn. 6) and Art. 14 para. 2 lit. b.

In some Member State laws, the term “third party” was used to distinguish between various actors to whom the data were disclosed; disclosure to a “third party” qualified as data transfer (thus, a data processing activity subject to a legal basis), while disclosure to an entity not falling under the term “third party” arguably did not qualify as data transfer according to data protection law. As the literature states, the legislator originally used the term in the DPD to distinguish between actors that have no connection with the processing and other recipients. Such an original goal can be deducted also by the fact that the definition of “recipient” expressly mentions the term “third party”, seemingly defining a set of entities within the group of recipients as third parties. Even if the definition could have been used in such a way by the legislator, we must emphasize that the GDPR does not follow this logic: the functions of the two definitions differ, third party being used only in context of Art. 6, while recipient covering almost all entities the data are disclosed to.

Notwithstanding the above, documents adopted by the Comm based on the authorization as set out by the GDPR do use the term “third party” to describe entities to whom data are disclosed, see e.g. in the context of onward transfers by data importers in the standard contractual clauses for the transfer of personal data to third countries adopted by the Comm in June 2021.

[…]

Article 4(9). GDPR. Recipient

September 8, 2023

Article 4(11). GDPR. Consent

September 6, 2023

EU GDPR, Article-by-Article commentary