What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)
This continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.
Part 4: Focus on Third Parties, “Recipients” and ‘Persons Authorised to Process Personal Data’
What About “Third Parties” and “Recipients” Referred to in the GDPR?
The GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations. The EDPB Guidelines consider their roles from the perspective of their relationship to a controller or processor. Depending on the circumstances, they may be classified as controllers for those processing activities for which they determine the purpose and means.
The GDPR provides a negative definition of “third party”. It is a natural or legal person, public authority, agency or body other than:
- the data subject,
- the controller,
- the processor and
- persons who, under the direct authority of the controller or processor, are authorised to process personal data (Article 4(10)).
An example given is where a company uses cleaning services, in such case there is no intention to engage the cleaning service company or its employees in the processing of personal data. However, the cleaning personnel may potentially have access to personal data on the premises. “The cleaning service company and its employees are therefore to be seen as a third party.”
In cases where a third party has potential access to data because of its contractual relations with the controller or processor, the controller or processor “must make sure that there are adequate security measures to prevent that they have access to data and lay down a confidentiality duty in case they should accidentally come across personal data”.
Third parties may exist even within a group of companies – for example, where a parent company requests employee data from all subsidiaries in order to produce group-wide statistics. When transferring data, the affiliates (employers processing data for HR purposes) would consider the parent as a third party. This third party acts as a controller for its processing of the data for statistical purposes.
Persons who, under the direct authority of the controller or processor, are authorised to process personal data
The concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is a concept that is not defined in the GDPR. It is generally understood as referring to persons who are associated with the legal entity of the controller or processor such as, for instance, employees or persons who have a “role highly comparable to that of employees, e.g. interim staff”.
Where such a person processes data outside of his or her role or authorisation, they should be considered as a third party vis-à-vis the relevant processing.
A “recipient” is “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (Article 4(9)).
An example that the EDPB provides on recipients describes a scenario where a travel agency shares the travel arrangements of individual customers with airlines, hotels and organisers of excursions. These will be recipients of data in order for them to carry out their respective services. In this example, the recipients will be considered as independent controllers for the purposes of providing their own services.
Thus, the recipient is a party to which the controller or the processor intentionally disclose the data, which is why Articles 13, 14 and 15 of the GDPR requires controllers to include “the recipients or categories of recipients of the personal data, if any” in the list of information to be provided to data subjects.
Article 4(9) and Recital 31 of the GDPR indicate that public authorities are not to be considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law (e.g. tax and customs authorities, financial market investigation units). Recital 31 provides “The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.”