Author: András Jóri 

(9) ‘Recipient’ means a natural or legal person, public authority, agency or another body to whom the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

I. Preliminary remarks

Recipient is a term defined by the GDPR to denote entities to whom personal data are disclosed. The term is used by the GDPR e.g. when determining the scope of the right to information and the right to access, as well as that of the records of data processing activities.

II. Legislative history

Art. 2 lit. g DPD defined recipient as “a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients”. Main characteristics of the definition were the same as in the GDPR, including the exception provided for public authorities carrying out a “particular inquiry”. The link to the definition of “third party” was also present in DPD (→ Art. 4 (10) mn. 9). The term was used by the DPD to determine the content of the right to information (Art. 10 and Art. 11), the right to access (Art. 12), and in the context of regulation of the possible simplification of notification to the SA and the content of such notification (Art. 18 and Art. 19). Taking into account the elimination of the notification obligation by the GDPR and creating the internal record-keeping obligation as per Art. 30, the definition (mutatis mutandis) serves the same role as it did in the system of the DPD. The Comm-P contained a shorter definition, omitting the reference to authorities involved in a “particular inquiry”. The text of the Comm-P also included an article titled “Rights in relation to recipients”, which, in a slightly amended form and under a different title, made its way to the final text of the GDPR as Art. 19.

III. Analysis

1. The role of the definition in the Regulation

According to Art. 13 and Art. 14, the data subject shall be informed about the recipients or categories of recipients of personal data in case they are collected from the data subject or not (→ Art. 13 mn. 6) Art. 14 para. 1 lit. f also mentions the transfer to a “recipient in a third country” among the mandatory elements of information provided in case the data have not been obtained from the data subject; Art. 14 para. 3 lit. c determines the timeframe for providing the information using the definition of “recipient” (→ Art. 14 mn. 8) According to Art. 15 para. 1 lit. c, the data subject shall be provided access to the information about the “recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations”. Art. 19 regulates the notification obligation regarding rectification or erasure, as well as regarding restriction of the processing: the controller shall communicate such measures to each recipient to whom the data have been disclosed (→ Art. 19 mn. 5), and the data subject shall also be informed about the recipients, subject to exceptions set out by that article (→ Art. 19 mn. 9). Record of processing activities shall include “the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations”, according to Art. 30 para. 1 (→ Art. 30 mn. 7). Art. 46 para. 3 lit. a mentions recipients as such entities that can use contractual clauses entered into with the controller or processor to provide appropriate safeguards when transferring personal data to third countries or international organisations (→ Art. 46 mn. 27) The term is also appearing in the context of international data transfers (transfers from public registries that can be consulted by persons with a legitimate interest) in Art. 49 para. 2; regarding the powers of the SA in Art. 58 para. 1 lit. g and lit. j, and in Art. 83 para. 5 lit. c on administrative fines.

The main role of the definition is to determine the scope of the right to information and access, also providing a reasonable exception regarding public authorities (see below) and an important element of the records as set out by Art. 30 para. 1 (→ mn. 3) Recipient is more a function, a descriptive term, not a subject of data protection law; as the Committee of (CoE) Convention 108 eloquently puts it – discussing the similar term used by that Convention – “the term “recipient” cannot be regarded as a legal status (underpinned by rights and obligations) but as a term which describes a situation where an additional layer in the relationship of the data subject and the controllers and processors are added by the operation(s) of the initial controller”.[1]

2. “Natural or legal person, public authority, agency or body”

 As to the meaning of “natural or legal person, public authority, agency or body”, see the commentaries on controller (Art. 4 (7) mn. 3) and processor (Art. 4 (8) mn. 5). For the exception regarding public authorities making “particular inquiries”, see below at mn. 8 et seq.

[1]Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Convention 108; Interpretation of Provisions (T-PD (2020) 06rev3, 7 May 2021), p. 2.

[…]