Analysis of Article 4(10) GDPR reveals that a third party is defined as “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data” (GDPR, 2016). This definition distinguishes third parties sharply from controllers and processors.
Main Distinctions Identified:
Practical Examples:
- Social media plugins embedded on websites (e.g., Facebook Like button) frequently act as third parties, collecting user data for their own business purposes.
- Ad networks that receive user information from a publisher and use it for profiling and targeted advertising illustrate third-party processing.
Implications for Compliance:
- Obligations Differ:
Third parties are not held to the same contractual obligations as processors; they must establish their own legal basis for processing under GDPR articles 6 and 7.
- Risk of Unlawful Processing:
Sharing data with third parties without clear legal basis or proper transparency exposes controllers to significant regulatory risk [Kuner et al., 2020].
- Transparency Requirements:
Controllers must clearly inform data subjects in privacy notices about any transfers to third parties and their intended purposes (GDPR Recital 58).
