March 31, 2023

Volume XIII, Number 90


March 31, 2023

Subscribe to Latest Legal News and Analysis

March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

March 28, 2023

Subscribe to Latest Legal News and Analysis

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

This continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.

Part 4: Focus on Third Parties, “Recipients” and ‘Persons Authorised to Process Personal Data’

What About “Third Parties” and “Recipients” Referred to in the GDPR?

The GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations. The EDPB Guidelines consider their roles from the perspective of their relationship to a controller or processor. Depending on the circumstances, they may be classified as controllers for those processing activities for which they determine the purpose and means.

Third Parties

The GDPR provides a negative definition of “third party”. It is a natural or legal person, public authority, agency or body other than:

  • the data subject,
  • the controller,
  • the processor and
  • persons who, under the direct authority of the controller or processor, are authorised to process personal data (Article 4(10)).

An example given is where a company uses cleaning services, in such case there is no intention to engage the cleaning service company or its employees in the processing of personal data. However, the cleaning personnel may potentially have access to personal data on the premises. “The cleaning service company and its employees are therefore to be seen as a third party.”

In cases where a third party has potential access to data because of its contractual relations with the controller or processor, the controller or processor “must make sure that there are adequate security measures to prevent that they have access to data and lay down a confidentiality duty in case they should accidentally come across personal data”.

Third parties may exist even within a group of companies – for example, where a parent company requests employee data from all subsidiaries in order to produce group-wide statistics. When transferring data, the affiliates (employers processing data for HR purposes) would consider the parent as a third party. This third party acts as a controller for its processing of the data for statistical purposes.

Persons who, under the direct authority of the controller or processor, are authorised to process personal data

The concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is a concept that is not defined in the GDPR. It is generally understood as referring to persons who are associated with the legal entity of the controller or processor such as, for instance, employees or persons who have a “role highly comparable to that of employees, e.g. interim staff”.

Where such a person processes data outside of his or her role or authorisation, they should be considered as a third party vis-à-vis the relevant processing.


A “recipient” is “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (Article 4(9)).

An example that the EDPB provides on recipients describes a scenario where a travel agency shares the travel arrangements of individual customers with airlines, hotels and organisers of excursions. These will be recipients of data in order for them to carry out their respective services. In this example, the recipients will be considered as independent controllers for the purposes of providing their own services.

Thus, the recipient is a party to which the controller or the processor intentionally disclose the data, which is why Articles 13, 14 and 15 of the GDPR requires controllers to include “the recipients or categories of recipients of the personal data, if any” in the list of information to be provided to data subjects.

Article 4(9) and Recital 31 of the GDPR indicate that public authorities are not to be considered recipients when they receive personal data in the framework of a particular inquiry in accordance with Union or Member State law (e.g. tax and customs authorities, financial market investigation units).  Recital 31 provides “The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.”

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 328

About this Author

Rosa Barcelo Data Privacy & Cybersecurity Attorney Squire Patton Boggs Brussels, Belgium

Rosa Barcelo co-chairs the firm’s global Data Privacy & Cybersecurity Practice. She counsels clients on data protection and privacy, including compliance with the GDPR and the ePrivacy Directive. Her expertise includes advising organizations on structuring international data transfers, BCRs, completing Data Protection Impact Assessments, drafting data processor agreements and carrying out lead authority assessments. Rosa’s practice has particular focus on cutting-edge ICT issues, including AI, machine learning, autonomous vehicles, programmatic advertising and online tracking...

+322 627 1107
Stephanie Faber International Business Attorney Squire Patton Boggs Paris, France
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs
  • Data breach management and notification
  • Database creation, international...
33 1-5383-7400
Asel Ibraimova Data Protection Attorney Squire Patton Boggs London, UK

Asel Ibraimova is an associate with expertise in the UK and European data protection matters. She is qualified as a Certified Privacy Professional/Europe.

Asel has worked in the healthcare industry and media industry as an in-house lawyer, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers,...

44 227-655-1208